Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/14/2015
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making Security Everyones Job, One Carrot At A Time

These five user education strategies will turn employee bad behavior into bulletproof policies that protect data and systems.

Most computer security folks have probably experienced the feeling that their primary jobs are finger-wagging and dispensing punishments. It can be disheartening to feel like you’re perceived as the wet blanket that’s slowing down the advance of innovation, and knowing people dread interacting with your department.

Are there ways to change the prevailing mindset so that security isn’t viewed as a stick to beat people into compliance, but rather as a carrot to entice people into habits of safer behavior? It’s often said that the best way to train desired behavior is to reward people for doing things they’re already inclined to do. With this in mind, you can use people’s existing behaviors to make your systems and data more secure.

Here are five ways to redirect user behavior toward the common security good:

Reward timely maintenance
In the days when users had to initiate regular AV scans on their own machines, one company I’d heard from used to pick a user’s machine each week on which to hide a test file. Any users who performed a scan and detected the test file by the end of the week would be entered into a drawing for a prize. While this specific scenario would be a bit outdated today, there are plenty of other opportunities to reward users for performing timely, routine security maintenance on their machines or accounts: This would include almost any action that would otherwise require nagging emails or locking people out of their accounts, or any security technology that is currently considered optional.

Drill for mastery
Many companies do a periodic security test, the most common of which is to send a fairly obvious phishing email to see how many users bite. In most companies, about a third of users fail the test, and a handful of that portion inevitably sends furious emails about how unprofessional and unfair these tests are. But these same people would never complain about a fire drill; this is because they fully understand that those drills are meant to protect their own safety as well as that of coworkers, and they know what skillful behavior entails.

In reality, fires and phishing are much more unpredictable and complicated than we can simulate. The idea is still the same: Give people regular exercises that allow them to perform a given set of steps even when a stressful event occurs, so that they won’t do something in an emergency that could cause more harm. It may feel like “teaching to the test,” but having ubiquitous posters and reminders about proper email hygiene may give users a sense of mastery over phishing drills, rather than feeling duped. You can also “gamify” these activities so that individuals or departments who perform well consistently get a small gift.

Enlist employees to help in intelligence gathering
Have you ever wondered what attack attempts made it past your technological defenses and into your employees' inboxes? One security practitioner I spoke with asked her users to submit any emails they received that they suspected were phishes, spam, scams or malware. This allowed her to see how attackers were probing their defenses, to improve education and to enhance network filters. This could also include incentives for users who are most prolific and accurate in their submissions.

Hunt for security fails
Even with the most thorough of searches, it can be exceptionally difficult to root out all the assets that need protecting, and discover how people use them. Most security groups don’t have the personnel power to sit with every single employee to see if the existing products and procedures are the best way to secure their workflow. But most employees are happy to identify ways in which security fails, if they’re not penalized for it. Indeed, if you reward that sort of behavior, you’ll have those corner cases and security end-runs identified in no time, so that you can work together to fix them.

It’s ok to break things
As anyone who’s done technical support can tell you, users are exceptionally skilled at breaking things in unexpected (and often perplexing) ways. While this could be considered problematic, it can also be a great way to root out software and system vulnerabilities. If you offer people incentives to report those vulnerabilities, you can then correct configuration errors and disclose product problems to the appropriate vendor.

While there is a time and a place for applying negative consequences for security lapses, there are plenty of ways to increase positivity, and to share a feeling of mutual assistance. If there is too much blame and shame associated with security, you may miss major areas of weakness that are common knowledge to your users.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/14/2015 | 12:36:36 PM
Good Practices
It made me feel good that my company performs most if not all of these practices. These are a good start especially for organizations that aren't sure of where to start when it comes to user awareness and security training.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .