Five sneaky ways companies are changing employees’ security behavior

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2881940/security-awareness/five-sneaky-ways-companies-are-changing-employees-security-behavior.html

Like precocious teenagers, some employees don’t want to be told what to do
when it comes to cyber security. Too many rules about what they can and
cannot do with technology can lead to bad decisions that inadvertently put
company data at risk. Instead, a more subtle approach is required to help
them make better decisions on their own.

But changing employees’ behavior is no easy task. People have an innate
need to socialize and share information, says Alessandro Acquisti,
professor of IT and public policy at Carnegie Mellon University, and a
member of Carnegie Mellon CyLab.

[ Employee Monitoring Good for the Employee ]

In studies, self-disclosure was found to trigger neural mechanisms in the
brain that are associated with reward, showing that people highly value the
ability to share thoughts and feelings with others. In one experiment,
subjects were even willing to pass up money for the chance to disclose
information about themselves.

“The problem is that modern technology has increased our ability to
disclose information to such a degree that we no longer realize how much
we’re giving and to how many people,” Acquisti says.

Awareness training for employees does help, according to Aberdeen Group.
Changing employee behavior reduces the risk of a security breach by 45% to
70%. What’s more, it can be accomplished with less foot-dragging than
security leaders might think – if they pull the right behavioral strings.

Here are five sneaky ways employers and researchers are leveraging positive
and equally powerful human behaviors to guide employees toward better
security decisions.

1. The Hero

Insurance provider XL Group was looking for a way to grab employees’
attention so that they could pass on valuable security information – not
only to protect corporate data, but personal information, as well.

The company wanted everyone to work toward a common goal and appeal to
their sense of compassion. So it asked employees to accept a challenge --
watch an educational security video and in turn, for every view of the
video, the company would donate a dollar to Doctors Without Borders, an
international medical humanitarian organization that provides aid in nearly
70 countries.

The company created seven educational videos around protecting the company,
its data, mobile devices and personal data with topics on spear phishing,
phone phishing, bot nets and social media threats. The short videos were
delivered monthly through emails and blogs.

“The goal was to have the videos watched by XL colleagues 10,000 times,
raising $10,000 for Doctors Without Borders,” says Thomas Dunbar, chief
information risk officer. The campaign easily exceeded its goal and
Dunbar’s team presented a check to the charity in December.

Equally important to the company, the campaign engaged 4,500 XL Group
employees worldwide in protecting their corporate and personal information.

2. The Nudge

You’ve been pinged, you’ve been poked, now prepare to be nudged. Borrowing
a page from economics literature, researchers at Carnegie Mellon are
experimenting with “soft paternalism.”

“We’re going to let you make the decision, but we’re going to nudge you
toward doing what we think is best for you,” says Lorrie Cranor, director
of the CyLab Usable Privacy and Security Lab.

For instance, one tool focuses on avoiding regret and helps social media
users make better choices about their posts. As users are typing, the tool
randomly selects five people from the writer’s list of contacts who are
about to see the post, and it shows their profile pictures on the screen.
“People you may have forgotten about may pop up, and it makes you rethink
what you’re writing,” Cranor says.

[ 6 essential components for security awareness programs ]

3. The Countdown

To get people to stop and think, CMU built another tool that provides a 10
second countdown timer before a post is published. “You can see it, edit
it, or cancel it “ in those 10 seconds, Cranor says. “We found that it was
actually a pretty effective way to get people to stop and think.”

Both of these tools could be very effective in the workplace, Cranor says.
“You could develop a nudging tool that would be on the look out for things
against company policy and provide these hints and suggestions - ‘hey, look
again at what you’re about to send and see if it crosses the line,’” Cranor
says.

4. The Game

Using interactive gaming techniques to educate or motivate users –
otherwise known as gamification -- has shifted from customer-focused
applications that are led by marketing, to more employee-focused
applications led by IT for security awareness.

These interactive software games usually rely on employees’ competitive
nature and involve teaching the player a particular security concept and
then putting them into scenarios where they can apply the concept. The
player competes against the clock and receives points for every correct
behavior scored.

“We’re trying to give them that similar experience that they have at work
where they’re multitasking and have to make quick decisions,” says Joe
Ferrara, president and CEO of security awareness and training company
Wombat Technologies in Pittsburgh.

While some employees play to achieve their personal best scores, some
companies organize contests around game-based training between individuals
or groups and award prizes, says Ferrara.

EMC used an online game and accompanying Elvis-themed “Suspicious Link”
video (a parody of his “suspicious minds” song) to make employees worldwide
aware of phishing scams and their impact on the company. Employees had to
watch the video and then answer all questions correctly to be entered to
win an iPad Air. Centers of Excellence around the globe also competed as
teams to win an office party.

“We like to run contests because we know users don’t just want to learn,”
says Brian Osterman, risk analyst. “We try to gamify it and increase the
competition so it’s actually fun.”

5. The Simple ‘Thank You’

At safety science company UL LLC in Northbrook, Ill., there are no cash
rewards for security-minded behavior. But when an employee spots a very
high-risk phishing scam and are one of the first people to respond, the
security team gives them validation by sending them a thank-you note and
copying their supervisors, the head of the business unit and occasionally
the CEO. “That goes a long way,” says Steve Wenc, senior vice president and
chief risk officer.

UL developed a behavior-focused security education program designed to help
its nearly 11,000 employees recognize phishing messages and quickly report
them to UL's security team. The program has created a crowd-sourced "human
firewall." On a daily basis, UL employees are spotting new attacks,
reporting them -- often within minutes -- and enabling UL's security team
to quickly take steps to block the attacks, alert other users and remediate
infections.

Since the project’s inception, incident reports have increased from 10 a
month to over 1,000, and UL reports a 19% decrease in virus-related
incidents.

“We appreciate what they’re doing,” Wenc says. “When they spot [a scam]
that has impact on the company, we tell them, ‘You saved your colleagues
and our customers from an attack.’”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!