IT security managers should be prepared to allow employees to make mistakes and infect corporate machines in order to improve education programs, according to Gartner.
Speaking at the annual Security & Risk Management Summit in London today, research vice president, Andrew Walls, argued that as employees increasingly bring their own devices and use consumer apps at work, IT bosses are turning to education programs to try and influence behavior.
For starters, the term “security awareness” belongs on the scrapheap, he said.
“If you take away nothing else from today’s presentation it’ll be this one thing: stop using the phrase ‘security awareness’,” Walls added.
“Awareness is one possible outcome of an education campaign…but being aware of something doesn’t necessarily change your behavior.”
One of the most important elements of a successful security behavior management program is to show the employee what risk looks like, even though doing so goes against the “basic inclinations” of any information security professional.
“You need to let people fail. You need to let people get infected by a virus. You need to let their account get stolen from them and then go ‘see what I was talking about? We can prevent that’,” he said.
“In IT security we want … to talk about threat but we don’t want anyone to experience the threat or risk and that creates problems for us because as we hide this after a while no one believes us, we’re talking in myths. And so we need to find opportunities where we can increase the visibility of the threat.”
Before even designing the program, IT security leaders need to consider their objectives and metrics, and the employees to be trained, as well as building a Training Needs Assessment framework.
However, the main objectives – compliance, discipline, knowledge and behavior – can never be addressed in a single program.
Managers should ensure their objectives are driven by their unique “risk priorities," concentrating on changing behaviors to reduce risk in those specific areas, such as password management, said Walls.
Focusing on compliance, discipline and knowledge acquisition will lead to the organization experiencing 20% higher levels of security 'failure' than those counterparts who focus directly on behavior management. This figure will increase to 50% by 2017, he added.
“Of those four objective types, behavior management is king. Unfortunately it’s also the most expensive and the hardest to accomplish,” Walls concluded.
Awareness is one possible outcome of an education campaign…but being aware of something doesn’t necessarily change your behaviorAndrew Walls