back to article Wanna motivate staff to be more secure? Don't bother bribing 'em

It's frustrating getting users to keep information and systems secure on a daily basis. However, don't try any smart gimmicks – particularly offering wedges of cash or other prizes for good behavior. It doesn't work. Quite the opposite, it can make things worse. Paying out a bonus to those who make few or zero security …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Dont' name and shame persistent offenders

    Sack them.

    We find this improves our over all security because they are no longer part of the organisation.

    Praising staff who follow the rules to keep their jobs? This isn't primary school. Do your job, to the standard your employer requests and don't be surprised that you're let go if you fail to do so consistently.

    The problem isn't with "having a go" at those not following rules, it's that in many companies there are no consequences to not following rules.

    1. Evil Auditor Silver badge

      Re: Dont' name and shame persistent offenders

      Sack them may be part of it. The article, although put into the context of IT security, is mainly about organisational behaviour and how to (de-)motivate staff.

      It's basics. People are usually intrinsically motivated to do a good job - as long as certain hygiene factors are present. For example, tolerating incompetency will demotivate the competent people. Dealing out silly petty cash for good behaviour will be looked through for what it is: silly - and demotivate. And so on.

    2. Naselus

      Re: Dont' name and shame persistent offenders

      Yeah, I've never worked anywhere where the IT security policy isn't a binding company policy document. Not following security should be seen as directly equivalent to not following the 'don't shit in the boss's desk drawer' policy, and should be punished in the exact same way.

      The problem is generally that security isn't taken seriously at senior levels. Just like every other user, board members and execs SAY they want to be secure, but won't tolerate anything that adds the slightest effort to performing routine tasks. So they get you to draw up a perfect best-practice security policy, and then immediately insist that it doesn't apply to them - despite the fact that they're the biggest targets and the people who most need to follow security protocol to the letter.

      1. Yet Another Anonymous coward Silver badge

        Re: Dont' name and shame persistent offenders

        Then they just obey the security policy to the exclusion of doing any work.

        If you do those fake phishing calls/emails to see if they respond then your users stop responding to any calls/emails - they can simply claim they thought all customers were suspicious.

        In fact I'm not even logging onto my machine this morning because the keyboard looks like it has been moved on my desk - that's "suspicous" so I'm going out for coffee until IT have checked it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Dont' name and shame persistent offenders

        @Naselus - "immediately insist that it doesn't apply to them"

        Bulleye.. that is exactly what happens.

        I work for a FTSE Tech company that recently had a new CEO, one of the first things he asked was an exemption from the security policy (iirc it was no minimum length password, no password expiry and no forced 2FA)..

        They give lip service to the importance, as long as it a) doesn't cause the slightly impact on performance and b) they don't have to think about it.

      3. Lord_Beavis
        Trollface

        Re: Dont' name and shame persistent offenders

        "'don't shit in the boss's desk drawer' policy"

        Where do you work that that is a policy?

        1. Naselus

          Re: Dont' name and shame persistent offenders

          "Where do you work that that is a policy?"

          I think the more pertinent question is why you work somewhere where it isn't, tbh.

        2. Midnight

          Re: Dont' name and shame persistent offenders

          "'don't shit in the boss's desk drawer' policy"

          Where do you work that that is a policy?

          And more to the point, just what happened the day before it became policy?

          1. EJ

            Re: Dont' name and shame persistent offenders

            "the day before"???

            Revenge is a desk drawer deposit best served cold.

    3. Ken 16 Silver badge
      Paris Hilton

      Have you ever worked in a security role?

      There's a base level of security compliance it's reasonable to expect, and test for and send people on compulsory training when they don't meet it. Most of information security is about having the big fence and the alarm system and reminding people not to let strangers in the house. It's a deterrent. Then there's the bit about the real valuables and keeping them in a safe, bolting that into the wall, making sure there are controls on who can unlock it. Join the neighbourhood watch, talk to the local police, hire a security company to advise you.

      If a state equivalent agency decide to break into the house and take the valuables, they will and firing the person who locked up last will make no difference.

      Test, train, thank those who comply, retrain those who miss and hope for the best.

      1. Anonymous Coward
        Anonymous Coward

        Re: Have you ever worked in a security role?

        "Test, train, thank those who comply, retrain those who miss and hope for the best."

        What good is hoping when just ONE slip can blow you higher than up?

      2. Doctor Syntax Silver badge

        Re: Have you ever worked in a security role?

        "There's a base level of security compliance it's reasonable to expect, and test for and send people on compulsory training when they don't meet it."

        What do you mean by testing? If you simply mean a questionnaire about the security policy this isn't going to be adequate. Passing a one-off test is one thing. Acting securely day-to-day in the long term is another. An effective test would be to have test phishing emails sent randomly to various members of staff.

        I had a client who took security very seriously. They had a pen-testing firm ring through to direct lines and try to winkle information out of the target. They found that the attempts were firmly resisted. Security was part of the company culture; it helped that "Security" was part of the company name.

      3. John Smith 19 Gold badge
        WTF?

        workers should be praised for good behavior, and be given better tools to tackle threats

        Wow.

        Just wow.

        I'm having an epiphany as I was reading this.

        I'm thinking how many decades has it took for some one to spot this?

    4. Charles 9 Silver badge

      Re: Dont' name and shame persistent offenders

      "Sack them."

      But what do you do when the person you want to sack is someone like an executive with sacking powers of his/her own? Meaning try to sack them and they respond by pulling rank and sacking YOU instead.

      That's something I want to know. How many of those "who wouldn't touch security" carry an immunity to any kind of mitigation by way of rank/position? IOW, how do you stop the problem when it comes from up top?

      1. RobinCM

        Re: Dont' name and shame persistent offenders

        Your ask yourself if you want to continue working there.

        And/or talk to their boss and explain the situation, and then re-ask yourself if you want to continue working there.

        You'll find your motivation for your job probably either decreased significantly, or, ideally, increased significantly.

      2. Doctor Syntax Silver badge

        Re: Dont' name and shame persistent offenders

        "But what do you do when the person you want to sack is someone like an executive with sacking powers of his/her own?"

        Leave. The outfit's on borrowed time.

        1. Charles 9 Silver badge

          Re: Dont' name and shame persistent offenders

          Jumping ship sounds nice until you learn the whole fleet is sinking. What do you so when your situation is par for the course?

          1. Doctor Syntax Silver badge

            Re: Dont' name and shame persistent offenders

            "What do you so when your situation is par for the course?"

            Go freelance and insist on prompt payment of invoices. (And in answer to your next objection, don't take contracts there).

      3. Anonymous Coward
        Anonymous Coward

        Re: Dont' name and shame persistent offenders

        But what do you do when the person you want to sack is someone like an executive with sacking powers of his/her own? Meaning try to sack them and they respond by pulling rank and sacking YOU instead.

        That's something I want to know. How many of those "who wouldn't touch security" carry an immunity to any kind of mitigation by way of rank/position? IOW, how do you stop the problem when it comes from up top?

        I don't WANT to sack anyone, I wouldn't be the one sacking anyone either as that's not my job that's for HR to deal with. This isn't about taking things personally and if I personally wanted to go down that route as the biggest insider threat to the organisation I work in I'm sure I could come up with something. But here's the thing, I do this job because that's NOT what I'm like and I would never do that.

        1. Charles 9 Silver badge

          Re: Dont' name and shame persistent offenders

          "I don't WANT to sack anyone, I wouldn't be the one sacking anyone either as that's not my job that's for HR to deal with."

          That doesn't answer the question, though. What do you do when the person routinely breaking your security policies are over HR's head (like someone on the board) and therefore can't be sacked that easily? Worse, what do you do when you find out it's like that everywhere, meaning jumping ship simply means jumping onto another sinking ship?

      4. Sheepykins

        Re: Dont' name and shame persistent offenders

        OK guys, you've had enough fun with the sacking. Noone's getting sacked today.

    5. Anonymous Coward
      Anonymous Coward

      "Praising staff who follow the rules to keep their jobs?"

      It's not primary school, but people will help you more if you are grateful for their help, and give them reasons to continue to help. If they are snubbed, they will stop.

      If, for example, you get a phishing report, and don't bother to answer, when due, "thank you, you helped to identify a new threat, we added it to our blacklist" or something alike, people will soon stop to inform you.

      It's basic human behaviour - something people who just live in the space between the screen and the keyboard often can't understand.

      1. Mark 85 Silver badge

        Re: "Praising staff who follow the rules to keep their jobs?"

        It's not primary school,

        There in a nutshell is the problem. Too many of the younger group (and even older employees) are embedded in the "participation award" mindset. Give an award for "no absences or tartys" Give an award for "parking your care between the lines". I've seen these and more and it's pretty sad that the companies do it. You end up with the few who get the "awards" over and over and the rest don't care.

        1. Charles 9 Silver badge

          Re: "Praising staff who follow the rules to keep their jobs?"

          "Too many of the younger group (and even older employees) are embedded in the "participation award" mindset."

          But then you have the other extreme, with countries like Japan and South Korea where the drive to succeed is SO intense they suffer from high suicide rates (in particular, South Korea last I checked ranked second in the world in per-capita suicides, and that list includes third-world countries--to compare, the US is middle of the pack and the UK somewhere lower).

          Basically, it's kind of lose-lose. Coddle them and they don't tolerate lip. Go hard and they don't tolerate failure. Frankly, I'd be scared to learn that the middle is actually UNhappy (where you have intolerant youngsters driven to suicide) and there's no real solution.

    6. Aodhhan Bronze badge

      Re: Dont' name and shame persistent offenders

      ...removing employees also removes good talent.

      Remember, it isn't security which drives business; quite the opposite. It's the business needs which drives security.

      Ensure proper security policies, procedures and mechanisms are in place.

      Ensure proper monitoring is in place, even if it means monitoring individual employees (who raise risk) in order to provide focused individual training and implementation of security mechanisms.

      Monitoring 'at risk' employees will often provide a lot of insight into the problem. It also provides proper justification if it does come down to removing the employee from their position.

    7. ecofeco Silver badge

      Re: Dont' name and shame persistent offenders

      Sack them.

      Came to say the same thing. I have no sympathy if they have been trained and warned more than once.

    8. Kabukiwookie

      Re: Dont' name and shame persistent offenders

      While in my experience management are often the worst offenders of poor security behaviours, they do expect the peons to adhere to strict and sometimes ridiculous 'security' protocols.

      If you want people to adhere to security measures, you have to:

      - Make sure management leads by example

      - Explain for each measure what the reason is for implementing them

      Making people understand why something is done trumps forcing seemingly random stuff down people's throat any day.

  2. Anonymous Coward
    Anonymous Coward

    Re Faecebook example

    "On one level, it worked: the security team saw a 350 per cent increase in dodgy email reports. The problem is most of them were false positives"

    Based on personal experience, one wonders how many of those false positives were the result of corporate or departmental etc., emails that were so ineptly put together that they looked like phishing attempts.

    A recent case in point: we had a series of emails, sent to individual employees, asking for individuals to confirm their driver licence personal details. It didn't carry an originating address from our HR or from any company address, just a strange third party. The email contained a variety of clickable response links, to a variety of different email addresses and websites, none of which were related to our company. In short: all every single hallmark of a phishing attempt

    In the end, our HR idiots (and I am being generous with that), responded to a specific request and confirmed the email was, indeed genuine.

    There was no general follow-up, no acknowledgement that the issue had gone off half cock. The whole sorry tale was repeated two or three years later when the next update was launched.

    Anon

    1. Doctor Syntax Silver badge

      Re: Re Faecebook example

      "emails that were so ineptly put together that they looked like phishing attempts."

      That would be a report that could be acted on. Clearly whoever puts together emails like that (I'm looking at at least one bank and building society here) has no idea what phishing is and hence is prime target material. Reports on this point to a need for training.

    2. Anonymous Coward
      Anonymous Coward

      Re: Re Faecebook example

      Hi Anon,

      Do we work for the same company?

      In my case the HR e-mail came exactly one day after the company-wide course on recognizing phishing.

      Anon2

      1. Anonymous Coward
        Anonymous Coward

        Re: Re Faecebook example

        Oh dearie dearie me is this an epidemic or just the mindset of people attracted to training about phishing?

        We had our 'Phishing training' team send out a mail purporting to come from the IT group about a planned update to Windows 10.

        Three weeks before we were about to launch our Windows 10 Update program

      2. Inventor of the Marmite Laser Silver badge

        @Anon2

        Could be, could be. Is yours owned by a French multinational with a big Digitise push?

  3. Doctor Syntax Silver badge

    "Another, er, motivational technique – naming and shaming of employees by the BOFH – doesn’t work either. "

    Really? Back in the days of dumb terminals we had a problem with users not logging out. We set up a message on MOTD to remind users to log out. The next time we had to force a log out we added "xxxxx, this includes you." and changed it every time a new offender was discovered. Eventually we had to remove that with the last offender's name because nobody else had put themselves forward as a replacement.

    The message had got through.

    I suppose in these days of snowflakes it would be called harassment and not allowed.

    1. Robert Carnegie Silver badge

      Leaving aside the harassment question, you could continue personalising the "remember to log out" message with names of the IT office team, for variety.

      Our building tests the fire alarm at 3pm every Friday. I don't know who actually runs around the building checking that it can be heard, if that's what they mean, but they must be fast. Anyway, it comes as a shock when it rings... even though on Friday the receptionist's desk usually has a big red-printed sign saying "The fire alarm will be tested today". I've thought it would be better with flashing lights on it. Or... an e-mail at 2.55pm to remind us.

  4. James O'Shea Silver badge

    Implement security properly

    One organization that I do occasional work for has implemented a new email security policy, a particularly mangled version of two-factor auth.

    In Ye Distant Past (that is, up until December last year) I could collect email using OWA, with all the (in)security implications and irritations that that implies, or I could use MS Outlook. If I used OWA, they had rigged it to expire a session after a while and I'd have to log back in. This meant that I might go days before bothering, and sometimes 'important' emails might not be noticed among the sea of idiocy which would show up when I finally logged back in. Besides, I just don't like webmail. As I had Outlook set up for other reasons, I just added the email account for them to Outlook. Outlook was always sitting open on my main machine. I got all their (mostly useless and/or idiotic) email immediately. 'Important' email was actually immediately visible.

    So they implemented 2FA... badly. They decided to use the Microsoft Authenticator system. Those who have encountered it might know that it can be set to _require_ certain classes of users (that would be those who don't have Official Company Laptops) to re-authenticate _every 24 hours_. I can no longer just leave Outlook open with their account available; every 24 hours a modal dialog pops up, preventing me from accessing _any_ account in Outlook, not just theirs, until I enter the password for their account, _twice_, and dig out my cell phone and click 'allow' in the MS Authenticator app. If I take too long, the 2FA auth times out and I get to start over. That's entering the password a total of _four_ times or moving really fast to send the auth code. Every. Single Day. On machines which have been accessing that account for literal years.

    Meanwhile, 2FA is _not_ implemented for OWA. Sessions still expire, but I only have to enter the password once to get logged back in. I have deleted their account from Outlook and the MS Auth app from my cell phone and gone back to using (ugh) webmail... and to checking email from them maybe once a week because I bloody hate webmail. Congrats, boyz, you 'improved' security by making it difficult to communicate.

    They're planning on killing OWA by the end of April, and requiring that all users use Outlook with 2FA. Line management has responded by asking us 'contractors' to install a special texting app... which doesn't go through Exchange Server and so isn't affected by 2FA (and doesn't get the loads of bumf that is emailed out every day). Congrats, boyz, you 'improved' security so much that users are bypassing your system to get actual work done. And no, IT Security won't be able to do anything about it, as the app lives on non-company cell phones. _Great_ work, there, boyz. You just _created_ a security hole.

    They have a (small) disk quota applied to email accounts; users have to clean out old mail periodically. I await with interest the screaming when accounts fill up because of the daily bumf and no-one logging in to clean it out. Oh. Wait. They send out email notices when the mailboxes are getting too full, adding to the daily bumf... I wonder how long it will be before they notice that most of the workforce ain't using company email anymore, and what they'll try to do about it. Fun times ahead, boyz'n'grrlz, fun times ahead.

    On my own systems here at the office I have also implemented 2FA... just not in an anti-user fashion. Every time users log in from a new device (cell, tablet, laptop, desktop) they must authenticate. Every time users log in using new software (for webmail, that means new web browser, and that's 'new browser', not 'new version of old browser') they authenticate. Once authed, you stay authed unless and until something changes.

    1. Kientha

      Re: Implement security properly

      At work we have 2fa in order to access the corporate side on our work machines. This times out after 15 minutes of inactivity so you end up having to put it in 7/8 times a day. It's a serious pain in the a**

    2. Stevie Silver badge

      Re: Implement security properly

      I imagine the chain of events that led to the Hilary Clinton Uses An Insecure Personal Phone scandal began with much the same foofaraw.

      I'm thinking that the only way to properly secure a remote connecting device is by some sort of secondary physical device that acts as a key, because making the security a passive thing as far as possible will follow the dictum If you want people to do something a given way, make that way easier to follow than any other they can come up with.

      For example (and only a from-the-top-of-me-head example) a log on could require some sort of short-range proximity to a smartwatch-like device, something the user would have with them at other times for other purposes.

      Secure phones could be properly secured by short range encrypted conversations between the watch and the phone before any attempt to access the network were allowed.

      If one really cares about security, one must start thinking about proprietary ways of making it happen as well as "off the shelf from China etc". Cheap isn't always best (though it usually offers advantages that outweigh the downsides).

      But if you want people to do anything in a given way, it has to be easier and more rewarding to do so than whatever they were doing before, or they won't do it.

      1. Doctor Syntax Silver badge

        Re: Implement security properly

        "I'm thinking that the only way to properly secure a remote connecting device is by some sort of secondary physical device that acts as a key"

        Many years ago I remember reading about the Olivetti (remember them?) lab in Cambridge which had a system whereby when a user walked up to a terminal it would display their personal desktop. That, IIRC, used their security badge. I never read what happened if two users sat down near the same terminal.

  5. Walter Bishop Silver badge
    Linux

    The human factor and cybersecurity

    "Sedova said that research, and her experience, shows that around 20 per cent of the workforce are very motivated to secure their systems."

    "The human factor is maybe the biggest unsolved problem in cybersecurity." ref

    When are they going to design a 'computer' that can't be compromised by opening an email attachment or clicking on a malicous weblink.

    1. Charles 9 Silver badge

      Re: The human factor and cybersecurity

      Simple. When they build a machine that cannot be interacted at all by humans in any way, shape, or form. Otherwise, physics and Murphy dictate there WILL be a way in spite of God, Man, or the Devil. And if there's a way, there WILL be a way to do it COMPLETELY.

      1. Walter Bishop Silver badge
        Linux

        Re: The human factor and cybersecurity

        @Charles 9: "Simple. When they build a machine that cannot be interacted at all by humans in any way, shape, or form."

        That was a rhetorical question, the solution is to use Linux running off of a read-only device :)

  6. ma1010 Silver badge
    Unhappy

    It's a common problem

    A similar problem is passwords. Where I work, we have several different systems that we all use. They all force us to change passwords regularly, and the systems all have different password rules about length and complexity. So people do what they always do in such a situation: write passwords down on a post-it note attached to their monitor. The hard-core security types put the post-it under their keyboards. Those with a clue use keepass or something similar.

    The only reason we don't get p0wned completely is that we are in an access-controlled area, but I still keep expecting something major to happen. I could try to bring management attention to this, but around here, the least said is always best.

    1. Yet Another Anonymous coward Silver badge

      Re: It's a common problem

      If you have physical security then a complex password written down is better than a weak remembered password. If you don't have physical security then there is no point in a password

    2. handleoclast Silver badge

      Re: It's a common problem

      They all force us to change passwords regularly

      This was a good idea when computers were big, very expensive, and the only reason you'd be using one was because it was handling stuff that was classified. Things like computers for designing nuclear weapons back in the 60s.

      These days it's a bad idea. See this advice from CESG (which is a division.of NCSC, which is a division of GCHQ).

  7. DougS Silver badge

    "Report spam/phishing" buttons

    I think that would work fine if it they could be deactivated or "muted" for clueless users. That is, if admins get three obvious false positives from a certain user, remove the button for them or have him hitting it ignored by the system. After a while you'd only be getting reports from users who are smart enough to tell the difference between that and legitimate email (or at least smart enough that the admins have to do a little research before they figure out which category it belongs in)

    Giving the ability to create more work for the admins to everyone, including the Dunning-Kruger class of users, is a bad idea. If only a few people get a particular spam or phishing email there isn't anything you can/should do about it anyway, if a lot of people get it then one of the smart users who gets to keep their report button privileges will get it and you'll be notified quickly enough.

    1. Charles 9 Silver badge

      Re: "Report spam/phishing" buttons

      "If only a few people get a particular spam or phishing email there isn't anything you can/should do about it anyway..."

      Except SPEAR Phishing targets only a few people, so you can't ignore them, either. Plus if you mute the dumb who trip false alarms too often, you could end up with a Cry Wolf situation where the stupid user is targeted BECAUSE they cry wolf and get ignored.

      1. DougS Silver badge

        Re: "Report spam/phishing" buttons

        How is someone who is likely halfway around the world going to know you've muted alerts from a certain user and they should be targeted?

        I don't think being alerted about spear phishing really helps - if the person knows it is phishing they won't fall for it whether or not they can alert you, and if they don't know it is phishing they will fall for it and wouldn't have alerted you anyway.

    2. Doctor Syntax Silver badge

      Re: "Report spam/phishing" buttons

      I think that would work fine if it they could be deactivated or "muted" for clueless users.

      It points to the need for training of those who report too many false positives and, if they prove untrainable, flagging up the problem to HR. (OK, it's quite likely HR will include more than their fair share. Their problem.)

      Having said that I'm in the habit of sending false positive reports. I send them to my bank in response to their train-our-customers-to-be-phished emails. Which reminds me, when I sent the last one I told them I'd discontinue that particular email address in the new year if they hadn't responded. Time to to that.

      1. Charles 9 Silver badge

        Re: "Report spam/phishing" buttons

        "It points to the need for training of those who report too many false positives and, if they prove untrainable, flagging up the problem to HR. "

        And if the untrainable person, as is so often the case, OVER HR's head?

        1. DougS Silver badge

          Re: "Report spam/phishing" buttons

          Training people to recognize spam and phishing? You're joking, right? That's like trying to train people who can't recognize sarcasm to recognize it, or training people who are always confusing there/their/they're in emails to get it right. You can't just assume that because many people can do something that everyone can learn to do it.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019