Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/14/2015
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making Security Everyones Job, One Carrot At A Time

These five user education strategies will turn employee bad behavior into bulletproof policies that protect data and systems.

Most computer security folks have probably experienced the feeling that their primary jobs are finger-wagging and dispensing punishments. It can be disheartening to feel like you’re perceived as the wet blanket that’s slowing down the advance of innovation, and knowing people dread interacting with your department.

Are there ways to change the prevailing mindset so that security isn’t viewed as a stick to beat people into compliance, but rather as a carrot to entice people into habits of safer behavior? It’s often said that the best way to train desired behavior is to reward people for doing things they’re already inclined to do. With this in mind, you can use people’s existing behaviors to make your systems and data more secure.

Here are five ways to redirect user behavior toward the common security good:

Reward timely maintenance
In the days when users had to initiate regular AV scans on their own machines, one company I’d heard from used to pick a user’s machine each week on which to hide a test file. Any users who performed a scan and detected the test file by the end of the week would be entered into a drawing for a prize. While this specific scenario would be a bit outdated today, there are plenty of other opportunities to reward users for performing timely, routine security maintenance on their machines or accounts: This would include almost any action that would otherwise require nagging emails or locking people out of their accounts, or any security technology that is currently considered optional.

Drill for mastery
Many companies do a periodic security test, the most common of which is to send a fairly obvious phishing email to see how many users bite. In most companies, about a third of users fail the test, and a handful of that portion inevitably sends furious emails about how unprofessional and unfair these tests are. But these same people would never complain about a fire drill; this is because they fully understand that those drills are meant to protect their own safety as well as that of coworkers, and they know what skillful behavior entails.

In reality, fires and phishing are much more unpredictable and complicated than we can simulate. The idea is still the same: Give people regular exercises that allow them to perform a given set of steps even when a stressful event occurs, so that they won’t do something in an emergency that could cause more harm. It may feel like “teaching to the test,” but having ubiquitous posters and reminders about proper email hygiene may give users a sense of mastery over phishing drills, rather than feeling duped. You can also “gamify” these activities so that individuals or departments who perform well consistently get a small gift.

Enlist employees to help in intelligence gathering
Have you ever wondered what attack attempts made it past your technological defenses and into your employees' inboxes? One security practitioner I spoke with asked her users to submit any emails they received that they suspected were phishes, spam, scams or malware. This allowed her to see how attackers were probing their defenses, to improve education and to enhance network filters. This could also include incentives for users who are most prolific and accurate in their submissions.

Hunt for security fails
Even with the most thorough of searches, it can be exceptionally difficult to root out all the assets that need protecting, and discover how people use them. Most security groups don’t have the personnel power to sit with every single employee to see if the existing products and procedures are the best way to secure their workflow. But most employees are happy to identify ways in which security fails, if they’re not penalized for it. Indeed, if you reward that sort of behavior, you’ll have those corner cases and security end-runs identified in no time, so that you can work together to fix them.

It’s ok to break things
As anyone who’s done technical support can tell you, users are exceptionally skilled at breaking things in unexpected (and often perplexing) ways. While this could be considered problematic, it can also be a great way to root out software and system vulnerabilities. If you offer people incentives to report those vulnerabilities, you can then correct configuration errors and disclose product problems to the appropriate vendor.

While there is a time and a place for applying negative consequences for security lapses, there are plenty of ways to increase positivity, and to share a feeling of mutual assistance. If there is too much blame and shame associated with security, you may miss major areas of weakness that are common knowledge to your users.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/14/2015 | 12:36:36 PM
Good Practices
It made me feel good that my company performs most if not all of these practices. These are a good start especially for organizations that aren't sure of where to start when it comes to user awareness and security training.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.