Security Awareness Training and Incentives

I had an interesting conversation last week about the importance of security awareness training. I know this is a controversial topic, with many in the industry believing that it’s a waste of time. Ben Tomhave makes a really important point about getting users to pay attention to security policies.

The problem is this: people are once again falling into that rut of blaming the users for making bad security decisions, all the while having created, sustained, and grown an enablement culture that drastically abstracts users from the impact of those decisions. Plainly put: if the users don’t feel the pain of their bad decisions, then they have no incentive to make a change. This is basic psychology.

It’s time to quit trying the same old stupid donkey tricks. What we’re doing has failed, and will continue to fail. The rules of this game mean we lose – every. single. time. We need to change those rules, and fast. Specifically, we need to:

  1. Include security responsibilities in all job descriptions.
  2. Tie security performance into employee performance reviews.
  3. Include disciplinary actions for all security incidents.

Tomhave calls this psychology. I relate it to the “economics of security” as described by Tyler Moore and Ross Anderson.