Achieving Compliance Objectives

As stated earlier, Honest Security can be used to improve your employees’ understanding of security through personalized recommendations delivered at the point of performance. While education alone can have a modest impact on improving the organization’s adherence to their compliance goals, education alone is not enough.

Let’s face it, even if you have perfect knowledge of security, that doesn’t mean you are motivated, or even willing to apply that knowledge. This section discusses two techniques available to Honest Security practitioners to dramatically improve adherence to these recommendations and compliance objectives.

Generating Predictable Consequences

A few months ago I went for a walk with my wife, Amy, and my infant daughter, Lucy. After about 30 minutes strolling through the park, we went home. I walked up to my front door to find it slightly ajar. I had forgotten to lock it. I had a brief moment of fear that maybe I was going to swing the door open and all of our stuff would be gone. That fear gave way to relief a few seconds later when it was clear everything was just as I left it. Another month or so later, I forgot to lock the door again. Same situation, except this time I was less afraid anything went wrong, and I was right; everything was still ok.

Last week I needed Amy to meet me across town, but she couldn’t find her copy of the house key to lock the door. Recalling the last two experiences, I said, “just leave it unlocked, it’s fine. No one is going to break in,” and she did. Just as before, I was right, and nothing bad happened.

Even though I am aware this is such fallacious thinking, I still fell victim to it. I know that if I did this enough times, the chance I would fall victim to a house robbery will eventually approach 100%. I relied on a sample size of only two personal experiences accidentally leaving my door unlocked to inform an intentional choice to leave it unlocked. This is the problem with risky behaviors:, they catch up to you, and when they do, the consequences can be devastating.

This is not an educational problem. You could force me to take training modules on the statistics of house robberies for houses with unlocked doors and it wouldn’t have changed anything. The problem here is in the executive parts of our mind. The part that applies that knowledge into action even when there are competing priorities.

Consistency Is The Key

This lack of consistency in realizing negative consequences is endemic in the security space. It’s this very same reason why, over time, our vigilance will slip. Keeping up with the security team’s recommendations takes time, and when time is short, are you really going to spend it making sure you’ve applied the latest macOS updates? You’ve forgotten to stay on top of that dozens of times with no obvious problem, so it’s not really an issue.

This isn’t a new insight. In fact most IT administrators cynically assume this will happen. This is why many of them seek out tools that short-cut around end-users and just take care of this stuff for them. You can’t forget to install your updates if they are automatically installed by the IT team. Even if it was possible to automate everything with management software (it’s not), this approach generates serious usability problems. Suddenly the process that restarts your computer for that update kicks off in the middle of a sales call. Another time, you realize you can’t turn off your firewall for a few seconds to see if that is what is causing Zoom not to connect. Then the last straw, as you read this guide alone in your house, your screen turns off and the computer locks itself because you forgot to move the mouse for 90 seconds.

Honest Security takes a different approach. Instead of immediately looking for ways to extract human beings out of the compliance problem, Honest Security looks to generate consistency through proportional and, most importantly, predictable consequences when security recommendations are not followed by the end-user.

Steps To Create Fair Consequences

To reiterate, the steps below outline the most effective way for this process to work:

  1. Articulate the nature of the consequence when delivering the recommendation
  2. Ensure the consequence’s impact on the user is proportional and relevant to the risk they are generating by ignoring the recommendation. (For example, it would be inappropriate to lock the user’s email because they forgot to turn on their firewall.)
  3. Always have an automated system follow through with activating the consequence immediately once the time limit has expired.
  4. Ensure the user knows that the consequence has been activated and is given a clear and automated path to resolve the problem.
  5. In the case where the consequence is particularly disruptive, (e.g. losing access to the VPN for failing to install updates) make sure you give the end-user access to members of the IT and Security team to temporarily lift these restrictions.

Opt-in Management

While this process is effective, there are just some people who will continually find themselves always on the brink of the consequence activating (or worse, serial offenders). In some situations, these users may do much better with the recommendations they regularly fail to implement on time if the security team could just do it for them. This is where Honest Security can allow the users to opt-in to traditional device management solutions (where applicable) and not have to worry about getting locked out of critical services or accounts.

Team Motivation, Not Gamification

While generating consequences is the most effective way to quantitatively improve compliance, Honest Security also applies other techniques to help bring a little more respect and a sense of camaraderie to the experience. This is important because it adds a group dynamic to the relationship between the security team and the end-users, instead of solely relying on mostly automated one-on-one interactions.

Don’t create individual winners and losers

Team motivation is an incentivization structure designed to create positive and socially visible rewards for groups adhering to Honest Security recommendations. Unlike gamification which compares individuals’ achievements to ultimately create a dichotomy of individual winners and losers, Honest Security creates incentive structures at a team or group level. This allows competitive individuals within a group to rack and stack the group’s achievements against the organization. During the camaraderie of racking and stacking, Honest Security engages and nudges individuals privately to improve their group’s performance towards a particular goal.

Example: Slack Implementation

Below is some early UX R&D in how a platform like Kolide might bring this concept to fruition in a Slack interface.

Early Kolide R&D example in a Slack interface

Notice how in this example, anyone can initiate a comparison between different teams/groups, not just a member of the security team. Also notice that the people who are detracting from the overall score are not shamed publicly. They are nudged quietly in private and given an opportunity to work through their recommendations with the incentive of being publicly thanked 30 minutes later when the statistics are updated.

This is a powerful way to encourage competitive members of your organization to drive action towards completing your security compliance objectives, while making security a visible part of the organization’s culture.

Coaching The Culture Change →