I recently spoke at the SecureWorld Expo event in Seattle on the data privacy panel. I had a blast being on the same panel with some really intelligent folks, and, as usual, I took my position on the dais as the trouble-maker. At some point during the discussion, the topic of user awareness training came up, and I got off on a rant.

The quote that came out of my mouth (captured live on Twitter here) as I got riled up was:

"Training is for puppies."

And I'm still riled up about it. Because we've been educating our users for 15 years and it hasn't worked. And we blame the users. Or we feel like we need to put up more posters and rub more users' noses in it. (Someone in the audience actually suggested that his organization would be best to fire any user who violated security policy. If you're not shocked at the stupidity of that idea, you probably should call me. Or Dr. Phil. You need help.)

Security awareness isn't about educating our users. And other people have solved this problem. (And, in fact, Foreground has solved the problem for its clients in the same ways).

In Super Freakonomics (pg. 204) Levitt and Dubner talk about the difficulty when talking about trying to get doctors to wash their hands in the hospital:

"This failure seems puzzling. In the modern world, we tend to believe that dangerous behaviors are best solved by education. That is the thinking behind nearly every public-awareness campaign ever undertaken, from lobal warming to AIDS prevention to drunk driving. And doctors are the most educated people in the hospital."

Here's the thing. We're not "educating" our users. We're not "training" our users.

Our goal is to change their behavior, not make them smarter.

The solution to the doctor's handwashing problem is described in this column as well. And it describes the crux of what we have to do. We have to start treating users like adults:

"In the beginning, the administrators gently cajoled the doctors with e-mail, faxes and posters. But none of that seemed to work. (The hospital had enlisted a crew of nurses to surreptitiously report on the staff’s hand-washing.) “Then we started a campaign that really took the word to the physicians where they live, which is on the wards,” Silka recalls. “And, most importantly, in the physicians’ parking lot, which in L.A. is a big deal.”"

Note that there are two keys to success in any program of this sort.

1. Measurement. If you're not measuring the success of your program, how will you know (as the team at Cedars Sinai did) whether or not your posters are working? (Hint: they're probably not.)
2. Not Education, But Marketing Your security awareness program goal isn't that the users pass a test. It's that they behave correctly in a given organizational context. The geniuses of behavior change in our society aren't educators - they're marketers. Marketers get their messages in your head and change where you spend your money... this is how awareness must be run. So, create campaigns that target behavior change and create positive incentives that work. (Hint: threats of termination are not incentives that work).

This might seem obvious. But given how bad the user awareness is out there (and how bad the ideas are of most people who are talking about it), It's clearly not.

Comments (0)

Subscribe to this comment's feed

Write comment

Email Name Website		Comment smaller | bigger
		Subscribe via email (Registered users only) Add Comment