Education, Encouragement, and Explanation: The Three “E’s” of Building a Positive Security Culture

By   ISBuzz Team
Writer , Information Security Buzz | Sep 02, 2014 06:03 pm PST

In your opinion, what are 3 key elements to succeed in a positive security culture and what tips can you provide to implement change, successfully?

Security of any kind is often viewed with trepidation. There’s the fear of failing to comply – the consequences can be harsh – as well as a feeling of helplessness brought about by not knowing all the rules, especially where technology is concerned.

Feature Download: Five Costly Data Breaches

Encouraging a positive security culture is really kind of hard given the circumstances under which those responsible are operating. One of the ways to move toward the “yay, security!” end of the spectrum is to be more active in promoting and encouraging participation in security-related activities. Educating, encouragement and explaining the “why” behind security measures can go a long way toward fostering a more positive security atmosphere in your organization.

1. Education

Education is paramount, particularly as the security threats become more sophisticated and more able to circumvent technological preventive measures. Provide short but targeted training exercises that better educate end-users as to how they can identify potential security risks. When combined with an innovative means of encouraging users to participate, educating end-users can have a significant impact on strengthening an organization’s security culture.

2. Encouragement (Incentivize, Gamification)

Encouraging end-users to participate and learn more about security can be difficult, but by incentivizing or gamifying aspects of education, you can certainly change people’s attitudes toward security pop-quizzes and participation. If you’re running a blind security test for users designed to test their “phishing detection prowess”, make sure to recognize those who passed. Incentives like badges for their e-mail or points that accumulate on an intranet leaderboard for participating in educational “events” can significantly change the corporate attitude toward security-related training – at least far better than angry e-mail reminders can.

3. Explanation

Explaining the risks of falling prey to certain types of attacks is always part of security training, but we usually focus on the corporate impact – downtime, dollars and reputation. Take an extra step and explain how failing to follow safe security practices can affect the individual personally. How much time will it take to “clean” their computer of a virus or malware? Will they lose access to external sites like social media? Will that malware leak all their e-mail – even the personal ones – to some random site on the internet? Make sure everyone understands both the corporate and the personal impact of failing to adhere to security policies.

None of this is easy, and it all takes effort. But when the entire corporate community is actively working to make a positive security culture, the entire organization wins.

Lori MacVittie | F5, Sr Product Manager | @lmacvittie

To find out more about our panel members visit the biographies page.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x