Building a positive security culture

April 2018

Builders checking plansDouglas Needham, a senior information security analyst, argues that referring to humans as the weakest link is unhelpful, instead we should focus on the positive actions they can take.

‘That’s funny’, Pip muttered quietly, rising from his chair as it wheeled slowly backwards behind him. ‘This attachment said it needs macros to display properly, but enabling them didn’t seem to change anything’, he remarked in bemusement to his colleague sitting across the desk. Without looking up from her own screen a disinterested reply came back from Estella, ‘sounds a bit funny, just report it to the service desk and ignore it.’

You could probably picture a number of ways that this scenario could unfold and may even have encountered a similar situation yourself. However, would you consider this a demonstration of human weakness or human strength?

With the General Data Protection Regulation (GDPR) introducing requirements for reporting data breaches within 72 hours of their discovery, it is more important than ever to develop a positive security culture in which the reporting of suspicious activity is encouraged, easy and escalated appropriately.

Enter the Pygmalion

In Metamorphoses, the Roman poet Ovid recounts the legend of the Cypriot sculptor, Pygmalion, who carved a statue so beautiful that he fell in love with it, and inspired the gods to bring her to life. His name is given to the psychological effect that people tend to behave the way that others expect them to.

The Pygmalion effect has great significance when planning your information security awareness campaign, and when communicating about information security matters more generally. Whether you expect the best or the worst from people, you’ll be right.

Employees being made aware of information security threats and risks, and why avoiding them is important to the ongoing success of the organisation and also what they can do to protect against them will encourage more secure behaviour by employees who are often assumed to be, (and told that they are), the weakest link.

Goodbye to the weakest link

In the opening example, Estella recognised that the attachment was suspicious, and this was quickly reported. This shows excellent security awareness that should be applauded! A potential security incident can be quickly assessed and contained.

By contrast, continual reference to human weakness and humans as the weakest links, sets the expectation that humans are doomed to fail and can do very little to help the situation. Human error will never be entirely eliminated, and it is important to recognise and plan for this.

A recent report by the SANS Institute is vociferous in calling out the Pygmalion effect, imploring the security community to ‘stop blaming employees as the security problem’ and instead to seek to understand the root causes in failing to change human behaviour and address those issues. How can we bring about such a gestalt shift in perception?

Human after all

Put yourself in Pip’s place. What goes through your mind as you realise that perhaps opening that attachment was not the best idea?

  • What’s going to happen?
  • Am I going to get into trouble?
  • Will anyone know it was me?

Humans are prone to negativity bias and will be more likely to focus on unpleasant circumstances such as the questions above. Be aware of this human weakness and address it by providing answers to these natural concerns.

The culture of an organisation, and in particular the security culture, will greatly influence how a human in that organisation will react in the face of an incident. Is the security function seen as a prosecutor making accusations of wrongdoing or a paramedic on hand to help? Who would you rather turn to?

Ten million incentives

The GDPR sets out requirements for data controllers to notify personal data breaches to their supervisory authority (for the UK this is the Information Commissioner’s Office, ICO) without undue delay, and where feasible, not later than 72 hours after having become aware of the breach. For many organisations and industries breach notification will be a new requirement.

The ICO’s communications on this topic reinforce the positive expectations approach: data breach reporting is not about punishing organisations, and will not halt criminal activity, but will help to raise the level of security and privacy protections across the board.

Failure to meet the various requirements pertaining to personal data breach notification could lead to a maximum penalty of €10million or two per cent of the organisation’s total worldwide annual turnover, whichever is higher. The ICO has clarified that fines will be proportionate and not issued in the case of every infringement. However, the threat of this penalty still serves as a powerful incentive.  

Bringing the statue to life

So, how can taking a positive approach help to meet the GDPR data breach response requirements? Making clear positive expectations will help people to understand the actions to take when detecting or responding to a potential incident.

Make it clear the types of things that should be reported as security incidents, and describe these in language that all can understand and contextualise. ‘Sending a customer’s records to the wrong person’ is much clearer to someone who works day-to-day with customer records than the security lens of ‘accidentally or deliberately causing a breach of confidentiality.’

Within a GDPR notification, the controller needs to provide details of the categories of data and the approximate number of data subjects whose data have been breached as well as the likely consequences of the breach. Measures taken to address the breach must also be shared.

An employee reporting a potential security incident should be seen as a positive event that accelerates the organisation’s ability to resolve it. ‘Tell it all, tell it fast, tell the truth’ offers the ICO. Make it easy to report suspicions, and easy for people to know how and what to report so that the incident investigator’s job is made easier.

If employees are unclear on the consequences of reporting, negativity bias may creep in and they may elect not to report, or to delay reporting. Make it clear that employees will not be blamed or punished for making genuine mistakes and that it is far better to report something so that it can be fixed. Set this positive expectation and handle malicious or grossly negligent cases as a minority exception.

Consider also suppliers, partners and other data processors working on your behalf. If they are worried about contractual wranglings in the event of a data breach you may not be notified promptly.

Personal data breaches only need to be notified under GDPR if it is likely that the breach will result in a risk to people’s rights and freedoms. If this risk is high, then the affected data subjects also need to be notified, unless appropriate controls are in place to mitigate this risk.

Data privacy impact assessments will help to assess this risk. Further context can also be taken from the incident reporter (if the right questions are asked) who may well know the specific detail of data that has been breached and can help to narrow the scope of an investigation.

Turn human weaknesses to strengths

Mistakes are going to happen. Hackers are going to hack. Acknowledge and anticipate this by setting great expectations of the humans in your organisations. You may well be surprised at who your benefactors are when it comes to data breach response.

Further reading
 

Image: iStock.com/vitranc

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.