The basic premise of behavioral psychology is that human behavior is shaped through a complex scheme of rewards and punishments. In fact, early psychologist B.F. Skinner once claimed he could lead a healthy child into any profession by manipulating those two factors accordingly, though some argue that people are a little more complicated than a reward-punishment model would suggest. That complexity is likely not lost on SMB IT security professionals, who have had to find ways of promoting safe habits among employees with limited security budgets.
Many companies turn to policy, while others tout the benefits of end-user education. However, few organizations would likely claim they have found the perfect solution to protecting business data and keeping employees aware of best practices. One expert recently argued that professionals like Skinner may have had something to say about IT security in the SMB arena.
"Let's face it: The second that it's easier to not comply with data security standards (or when those data security standards stand between the employee and something they want), there goes your adherence to the data security policy or process," wrote TechTarget editor Wendy Schuchart. "Even the most cautious employee, who would never dream of risking data security, wouldn't think that downloading Candy Crush Saga might leave the network vulnerable to Trojans."
An IT security gift basket
The concept behind traditional awareness training and IT security education is valid, but there is a problem in execution. As a Ponemon Institute study revealed, half of all data breaches among SMBs can be attributed to human error or negligence. This is further exacerbated by the fact that SMBs tend to be less prepared to recover from an incident than larger enterprises. Schuchart argued that the solution may be to provide incentives to follow best practices rather than simply create policies and expect everyone to follow them.
Finland's government-sponsored prenatal program, which gives expectant mothers supplies like clothing on the condition that they sign up for prenatal care, serves as a good example of how the concept may be applied effectively. By providing items the mothers would need anyway, Finland saw an increase in people signing up for prenatal care and the country's infant mortality rate has since declined significantly. As Schuchart noted, former White House CIO Theresa Payton has done something similar with IT security training. Payton created a data security briefing pack that outlined a simple process for reporting a lost mobile device and included a White House-branded item as a reward for attending. The result is that the time between losing a device and reporting dropped to an average of two hours, down from more than a day prior to implementing the program.
"And the unexpected benefit was that employees who hadn't yet received their security packet were actually calling up the CIO's office and asking for it," Schuchart wrote. "Can you imagine one of your employees actually calling up and asking for a security brief?"
The primary advantages of this approach are that it is inexpensive and that it directly counters the rise of threats such as social engineering and phishing. Because these types of attacks target users, IT-centric solutions are not always effective in preventing the breaches they cause. However, no single approach should be seen as a cure-all, and it is important to keep some traditional perspectives in mind when implementing new solutions to old problems.
Is there room for gamification?
This idea is similar to the gamification concept that has made its way through numerous industries. The idea is to take the qualities that make video games enjoyable and apply them to a business setting to raise engagement. For instance, managers may outline requirements for achieving a salary bonus and assign points based on employee accomplishments to mimic the process of leveling up a video game character. Recent MarketsandMarkets research suggests a significant amount of enterprise interest in this idea, with the gamification software market expected to reach $5.5 billion in 2018, up from $421.3 million in 2013.
The only problem is that many implementations of this software do not meet expectations, and researchers suggested this may be due to the fact the concepts of implementing gamification in a business context may be misunderstood. The main challenge for any engagement strategy, whether it has roots in the teachings of Skinner or video games, is to balance the needs of both management and employees. On one hand, employees don't want to constantly hear of the company's certain destruction if they fail to password protect their smartphones. On the other, companies need to ensure that they have communicated information clearly and that their employees understand their responsibilities when handling sensitive data.
As with any new trend or technology, there are likely parts that will work within a particularly organization's environment while other components don't fit too well. For SMBs that find their security training programs are not achieving desired results, it may be helpful to craft a customized IT strategy that first identifies a specific problem like employee awareness and takes the most promising elements from these engagement philosophies. For any large-scale security program overhaul, it will likely be beneficial to run a pilot project before full implementation to test how employees will react and whether the changes would be operationally feasible.
Learn more about how to reduce the likelihood of human error in IT security, click below: