The most difficult security rules to obey are the ones that don’t seem to make a meaningful difference. When teaching people security skills, use humorous stories to help them remember why those skills are necessary and why disciplined, consistent application truly matters.
Security fundamentals aren’t much different from general business fundamentals: there are basic, time-tested rules that everyone needs to consistently follow to detect and correct errors before they impact operations. I realize this seems blindingly obvious; most people learn this lesson early in their career (usually after making an embarrassing mistake).
The thing is, just because you know a rule doesn’t mean you’ll reliably apply that rule over time. People prioritize. The less that a rule seems necessary, the more likely we are to forget about it. After all, if it hasn’t mattered in months, years, or decades, then what’s the point of dogmatically following it for no tangible benefit?
This is an essential element of human nature. Those of us who work in Security Awareness must always keep this in mind when we’re planning our annual skills training and skills reinforcement campaigns. The less that our people can see the practical benefit of a required action, the less likely they are to apply it. Therefore, it’s up to us to provide compelling support for those rarely-needed-but-vital actions – usually in the form of memorable stories.
As an example: my superior recently summoned me up to Chicago to get some face-time with colleagues that I rarely get to see in person. Nothing out of the ordinary, just a mundane business trip. Well … mostly mundane.
There are some slight cultural differences between our Chicago HQ and our Dallas office. Everyone in Chicago seems to either walk to work or take a train, whereas everyone in Dallas drives. The folks in Chicago have a smashing café a few floors down that they can dash to for a nice lunch at their convenience, whereas the nearest dining option for the Dallas office is a quarter-mile walk away.
Most importantly for purposes of this story, the folks in Chicago consistently dress better – snazzier, even – than us Dallas folks. I’m not trying to suggest that we’re slobs down South; merely that something about the Chicago business scene inspires people to step up their game. They’re always quite snazzy, whereas we’re more of a denim-and-boots culture.
No, we don’t ride horses to work in Dallas. We could but we don’t because horses hate sitting in rush hour traffic even more than humans do.
With that in mind, I ordered a few new dress shirts as soon as my boss told me I’d be spending a week up in Chicago. I felt a need to blend in. Don’t let the team down and all that. I have a preferred vendor for my “good” shirts; an outfit that uses higher-quality materials in more interesting colours and patterns than the typical, generic, forgettable department-store togs that get me by in Dallas day-to-day.
As always, my chosen vendor delivered my new shirts on time the night before I flew out. I knew that I should have taken each one out of its packaging and tried it on just to be sure the shirts fit correctly. That’s the smart and responsible thing to do. However (I rationalized), this was my fourth order from the same vendor for the exact same style and cut of standardised shirt. This vendor had never failed me before. I was in a hurry to pack. All perfectly reasonable assumptions borne from positive prior experience. What were the odds of something going wrong?
You can see where this is going. Please feel free to start laughing now. I don’t mind.
Once I arrived at my hotel in Chicago, I knew that I should take everything out of my suitcase and inspect each item to ensure that I had everything I needed. Conduct one final equipment check before “go time” while there was still time to re-arm and recover (so to speak). However (I rationalized), I was only going to be in my hotel for two days before I had to relocate to a different one across town. Best not to take everything out of the suitcase and then be forced to repack. Perfectly reasonable assumptions, what are the odds, etc.
I’m as guilty of this as the next person: if the worst possible outcome for a risk doesn’t involve a threat to life, limb, or property, I tend to subconsciously downplay the importance of the risk. This is a mistake that we all must overcome to maintain effective enterprise security.
So, there you have it: I had multiple opportunities to take small and reasonable steps to prevent a faux pas, and I let the opportunities pass without action.
Flash forward to Thursday: purple shirt day in our department. A tradition that I’d subconsciously picked up on during my last visit and must have remembered when I’d selected my new shirts. At 6.30 am on Thursday morning, I donned on my “classic fit, non-iron, berry-coloured, arrow weave shirt” and immediately realised there was something dreadfully wrong: my shirt cuffs stopped well above my watch. I looked in the hotel mirror and saw that the cut of my new shirt was off. The shoulders were too wide while the chest was too narrow (a feat in and of itself).
Worst of all, the sleeves were too short by about four centimetres. I looked like a slightly-metallic and aubergine-coloured orangutan with glasses. It wasn’t my best look.
Still, I had to soldier on. I hadn’t packed a spare dress shirt – another common-sense precaution that every traveller should implement – and there was no time to dash to a store assuming I could find one in a strange city in the wee hours. Nothing for it but to accept whatever smirks and giggles I inspired when I reached the office. I must have been dwelling on the problem because I overshot my Westward turn on the walk in and added an extra mile to my commute.
This is not to suggest that my colleagues gave me a hard time that day (although they would have been entirely within their rights to do so). Everyone was so consumed with work, dashing about with little time to talk, that either no one noticed or simply didn’t have the cycles to spare to make a joke about it. The only person who commented at all was our Deputy Executive who asked in passing “Are you feeling all right? You look … flushed.”
Obviously, this is a tempest-in-a-teapot story. Looking like a fool in the office is my stock-in-trade, so one oddly-shaped shirt event isn’t going do my reputation any lasting harm.
What it is, though, is a funny story that helps to make a point: I knew the established best-practices for traveling up to the HQ. Try everything on before you pack it. Bring a backup of everything in case of damage, loss, or embarrassing weight gain. Know where the nearest clothier is from your hotel. Use your operational pauses to double-check your kit and togs while there’s time to fix an unexpected glitch. These are all simple, cheap, and important preventative measures.
The reason we don’t do the simple things is usually complacency. We perform required actions diligently and, over time, realize our effort was unnecessary. So, based on experience, we stop bothering. Never needed the extra work before, so we probably won’t ever need to again. Skip it. What’s the worst that can happen?
The answer, of course, is that misfortune only needs one opportunity to wreck your plans. In the security world especially, an attacker only needs to get lucky once to penetrate your defences, sidle off with your secrets, or secure a pivot point into your network. Locking a workstation, shredding an obsolete document, or locking a cabinet aren’t difficult tasks. Such mundane actions might seem like a waste of effort when it’s believed that they’ve never truly been needed before. It hasn’t mattered yet (the rationalisation goes) so why bother?
That’s why we must not only stress the importance of consistent performance of minor actions, we also must supplement our training with memorable stories. Sharable, preferably funny stories that will stick with people. Stories that will pop into a user’s head when they consider whether to “waste” time performing a routine security action. Stories that will resonate, even if it’s at our expense. Stories that positively influence behaviour.
I don’t mind being the butt of a good joke. I made a preventable error and looked foolish; that’s on me. Better to let someone have a good laugh at my expense and learn from my foolishness than it is to protect what passes for my dignity and let a good person make a preventable mistake that negatively impacts site security. After all, we security professionals are here to protect our company and our colleagues, not to be admired for our fashion sense.