Vulnerabilities / Threats

12/14/2015
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making Security Everyones Job, One Carrot At A Time

These five user education strategies will turn employee bad behavior into bulletproof policies that protect data and systems.

Most computer security folks have probably experienced the feeling that their primary jobs are finger-wagging and dispensing punishments. It can be disheartening to feel like you’re perceived as the wet blanket that’s slowing down the advance of innovation, and knowing people dread interacting with your department.

Are there ways to change the prevailing mindset so that security isn’t viewed as a stick to beat people into compliance, but rather as a carrot to entice people into habits of safer behavior? It’s often said that the best way to train desired behavior is to reward people for doing things they’re already inclined to do. With this in mind, you can use people’s existing behaviors to make your systems and data more secure.

Here are five ways to redirect user behavior toward the common security good:

Reward timely maintenance
In the days when users had to initiate regular AV scans on their own machines, one company I’d heard from used to pick a user’s machine each week on which to hide a test file. Any users who performed a scan and detected the test file by the end of the week would be entered into a drawing for a prize. While this specific scenario would be a bit outdated today, there are plenty of other opportunities to reward users for performing timely, routine security maintenance on their machines or accounts: This would include almost any action that would otherwise require nagging emails or locking people out of their accounts, or any security technology that is currently considered optional.

Drill for mastery
Many companies do a periodic security test, the most common of which is to send a fairly obvious phishing email to see how many users bite. In most companies, about a third of users fail the test, and a handful of that portion inevitably sends furious emails about how unprofessional and unfair these tests are. But these same people would never complain about a fire drill; this is because they fully understand that those drills are meant to protect their own safety as well as that of coworkers, and they know what skillful behavior entails.

In reality, fires and phishing are much more unpredictable and complicated than we can simulate. The idea is still the same: Give people regular exercises that allow them to perform a given set of steps even when a stressful event occurs, so that they won’t do something in an emergency that could cause more harm. It may feel like “teaching to the test,” but having ubiquitous posters and reminders about proper email hygiene may give users a sense of mastery over phishing drills, rather than feeling duped. You can also “gamify” these activities so that individuals or departments who perform well consistently get a small gift.

Enlist employees to help in intelligence gathering
Have you ever wondered what attack attempts made it past your technological defenses and into your employees' inboxes? One security practitioner I spoke with asked her users to submit any emails they received that they suspected were phishes, spam, scams or malware. This allowed her to see how attackers were probing their defenses, to improve education and to enhance network filters. This could also include incentives for users who are most prolific and accurate in their submissions.

Hunt for security fails
Even with the most thorough of searches, it can be exceptionally difficult to root out all the assets that need protecting, and discover how people use them. Most security groups don’t have the personnel power to sit with every single employee to see if the existing products and procedures are the best way to secure their workflow. But most employees are happy to identify ways in which security fails, if they’re not penalized for it. Indeed, if you reward that sort of behavior, you’ll have those corner cases and security end-runs identified in no time, so that you can work together to fix them.

It’s ok to break things
As anyone who’s done technical support can tell you, users are exceptionally skilled at breaking things in unexpected (and often perplexing) ways. While this could be considered problematic, it can also be a great way to root out software and system vulnerabilities. If you offer people incentives to report those vulnerabilities, you can then correct configuration errors and disclose product problems to the appropriate vendor.

While there is a time and a place for applying negative consequences for security lapses, there are plenty of ways to increase positivity, and to share a feeling of mutual assistance. If there is too much blame and shame associated with security, you may miss major areas of weakness that are common knowledge to your users.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/14/2015 | 12:36:36 PM
Good Practices
It made me feel good that my company performs most if not all of these practices. These are a good start especially for organizations that aren't sure of where to start when it comes to user awareness and security training.
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.