Download Information security awareness: educating your users effectively

Information security awareness: educating your
users effectively
M.E. Thomson
Port Elizabeth Technikon, Port Elizabeth, South Africa
R. von Solms
Port Elizabeth Technikon, Port Elizabeth, South Africa
This article investigates the
evolution of computing, with
specific reference to the
security issues involved.
These issues are then taken
further to determine the need
for education in the workplace through an information
security awareness program.
Techniques borrowed from
the field of social psychology,
which have been largely
ignored in current awareness
programs, are highlighted in
order to show how they could
be utilized to improve the
effectiveness of the awareness program.
Introduction
The use of information technology has
changed dramatically over the years. The
user profile has also changed accordingly
from a situation where all users were computer or information technology specialists
to a situation where most users today are
barely computer literate. This article will
attempt to highlight the reasons why an information security awareness program should
enjoy more attention in all organisations. It
will also spell out the objectives of such a
program and the potential for utilising psychological principles to make the program
more effective. These are principles that have
been refined over many years of research in
the social psychology arena, but which have
been largely ignored by IT professionals
when developing information security awareness programs (Kabay, 1994, p. 1).
Technological advances
The technical development of the computer
and associated disciplines has played a large
role in the profile and involvement of the user.
A description of some of these advances and
their influence on the end-user will help to
understand the current situation. These
advances will be divided into three stages of
development to highlight the situation of the
typical IT user in an organisation.
Standalone mainframe computing
Information Management &
Computer Security
6/4 [1998] 167–173
© MCB University Press
[ISSN 0968-5227]
This form of computing was used when computers were first introduced in business. The
machinery was extremely large and susceptible to environmental conditions. The result
was that it had to be housed in a completely
separate building; hence the term standalone
computing (Schaeffer, 1987, p. 113).
When this form of computing was used, the
security considerations were relatively easy
to satisfy as the following will indicate:
• The computer centre was housed in a completely separate building. Anyone needing
to use the computer had to be in the computer centre building; hence physical
access control was the major security consideration.
• Generally, the type of systems in use were
single user, i.e. only one person at a time
could work on the machine. Anyone entering the building would have been screened
by the access control device at the entrance
to the building, thereby eliminating the
need for any form of user authentication.
• The major threats to the computer were of
an environmental nature, i.e. floods, earthquakes, fires, and civil disorders. It was
relatively easy to take precautions to minimise these threats. The building could be
situated in an area safe from flooding and
free of any seismological activity. Fire
detection and extinguishing equipment
were also very effective.
As can be seen, the threats to this form of
computing were of a physical nature and very
effective precautions could be taken to minimise them to an acceptable level. All computer programs were processed in a secure
physical environment. Electronically, it was
difficult for any party to gain unauthorised
access to any data. The users of information
posed no security threat to the information,
because no user had any access to any data
electronically. Unfortunately (from a security
viewpoint), the use of computers evolved
further, rendering these security precautions
obsolete, and further security measures were
needed.
Multi-user computing environment
This form of computing brought with it new
threats which needed to be countered, specifically the following (Shelley et al., 1992, p. 7.16):
• more people were able to work on the
machine at the same time, and not always
within the confines of the computer centre;
• access control to the computer centre was
no longer adequate to determine the validity of users, since workstations were now
situated in the user’s work environment;
• users were allowed access to computer
systems electronically;
• many components were shared, e.g. memory, databases, printers, etc.
These security considerations were largely
eliminated by the implementation of a user
authentication system on the machine. All
users were allocated a user identification
[ 167 ]
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
(userid) and a password. This userid and
password were used to identify and authenticate a user successfully. Based on this successful authentication, the operating system
provided authorisation to the user to utilize
system objects. The workstations in use at
this time were dumb terminals (all intelligence resided on the central computer) and it
was relatively easy to restrict users to work
in certain areas.
This type of security was termed technical
since the operating system on the machine
was enforcing the security. At this phase of
computer evolution, physical and technical
security measures were adequate to ensure
effective information security.
Personal computers and networks
The advent of the personal computer, as well
as the increasing complexity and reliability
of networks, has brought about a great challenge in the area of information security:
• the decreasing price and increasing capabilities of personal computers resulted in
many people in the organisation acquiring
these machines;
• the ever increasing number of software
development packages available made it
possible for these people to start developing
their own systems;
• the knowledge gained from developing
these systems could often give them the
capability to circumvent security measures
built into the current systems;
• the ever increasing use of the Internet
meant that there were potential threats
from outside the organisation.
The above issues combined with the fact that
information systems are becoming more and
more crucial to the successful daily operations of many organisations has brought
about the next major advance in information
security, namely that the profile of the enduser is changing. The profile of the user has
changed substantially in that previously the
user was very often a person lower down in
the organisational structure whose main
purpose was to enter data that would be used
at a later stage by someone higher up than
themselves. This situation has gradually
evolved to the current situation where the
managerial people often need access to information on a “must have now” basis because
of the competitiveness of business. They also
often develop their own small systems to
interpret data acquired from one of the mission critical systems. The data entry party is
also often more computer knowledgeable
than previously. This situation could have the
result that these people could gain access to
or modify data that they were not supposed
[ 168 ]
to, whether it be intentional or accidental.
This increasing sophistication of the user
combined with the need to grant them access
to the information that they require means
that it is no longer possible to maintain effective information security with physical and
technical controls alone.
It is now necessary to educate the users in
the discipline of information security. Their
behaviour has to be modified to such a degree
that they carry out their day-to-day activities
in a security supporting manner. It is important that this behaviour be subconscious, i.e.
they must carry it out without having to
think about what they are doing. For example
signing off whenever they leave their office,
ensuring that their password is not accessible
to other employees, ensuring that information on the screen is not visible to anyone that
should not see it, making regular backups of
important data, etc.
In order to achieve this an information
security awareness program needs to be
undertaken in every organisation. This program will educate users in information security issues, and will also continually remind
users of the issues and any new issues which
may have become relevant. The objectives of
this security awareness program will be to
change the ideas and behaviour of the user;
therefore the awareness program must be
structured in such a way that the user’s
behaviour and attitudes are modified to
ensure that their actions are security conscious. The above clearly shows that information security has now become very reliant on
operational measures (the user’s behaviour)
as well as the technical and physical measures highlighted earlier.
The discipline of social psychology has,
over many years, conducted research into the
area of successfully changing the attitude and
behaviour of people, and the results of this
research should help to make any security
awareness program more effective.
In the next section some of these techniques
developed in the social psychology area are
introduced. These techniques could prove
useful when applied to an information security awareness program.
The application of social
psychology
Figure 1 represents the typical attitude system which all people have. This attitude system will help to explain the different aspects
involved in determining the way a person
will behave in a given situation (Zimbardo
and Leippe, 1991, p. 32).
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
Figure 1
An attitude system
Behaviour Intentions
The plan to act in a certain
way prior to doing so
Behaviour
The actual behaviour
exhibited in a given situation
Attitude
Overall evaluation.
Includes all other components
Cognitions
Ideas, beliefs, and
knowledge on how one
should behave in a
given situation
Central to everything is the actual attitude
itself, but interrelated to it are a number of
other factors:
• Behaviour intentions: this refers to the person’s intention to behave in a certain manner under certain conditions;
• Behaviour: this is the actual behaviour
exhibited by the person in a given situation,
not necessarily the same as they intended
to behave in that situation;
• Cognitions: this refers to a person’s knowledge and beliefs of how one should behave
in a given situation;
• Affective responses: these are the emotional
or “gut feel” reactions shown in any given
situation.
Figure 1 clearly shows that all the areas highlighted are interrelated and as a result a
change in any one of them can have the effect
of changing any one of the others. This could
ultimately result in a complete change of
attitude, which is what one ultimately
requires from a user as far as information
security is concerned. Research conducted in
social psychology has shown that there are a
number of very effective methods that can be
applied to affect a person’s behaviour. This
section will focus on three of these methods,
namely:
1 directly changing their behaviour (ignoring attitudes and knowledge);
2 using a change in behaviour to influence a
person’s attitude; and
3 changing a person’s attitude through persuasion.
Affective Responses
Emotions or “gut feelings”
Directly changing behaviour
It has been proven that there are techniques
which can be used that will persuade a person
to behave in a certain way, regardless of their
attitude to the subject, or their knowledge on
the subject, or their emotional feeling on the
subject. The following fall into this category.
Instrumental learning
There are two techniques which fall into this
section, operant learning and shaping.
Operant learning refers to a situation
where there is a relationship between a
response and its consequence. If a person’s
behaviour is correct, then they are praised,
and if their behaviour is not correct, then
they are reprimanded (Haber and Runyon,
1986, p. 73).
Shaping refers to a situation where initially
low standards are applied, and as the person’s
abilities improve, the standards are gradually
increased as well. Initially behaviour which
is only remotely like the desired behaviour is
rewarded, but as time goes on, the rewards
become more difficult to earn as more and
more appropriate behaviour is required
(Haber and Runyon, 1986, p. 79).
Example: In an awareness training program these techniques could be applied by
awarding small tokens as rewards to those
employees showing the desired behaviour.
These tokens should not be of any great monetary value, but they must be earned and not
merely given out as a matter of course. They
should also be visible to other employees so
that they can act as motivation for those that
have not yet earned one.
[ 169 ]
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
Social learning
Reciprocity
This refers to people’s behaviour being influenced even though they are not part of the
whole process. They see how their colleagues’
behaviour is rewarded and tend to behave in
the same way so that they could be rewarded
similarly (Zimbardo and Leippe, 1991, p. 45).
Example: Other employees will see their
fellow workers performing tasks which help
to ensure information security, e.g. ensuring
that their password remains confidential, or
keeping backups of their data. This behaviour will help to instil similar behaviour in
themselves. Employees who are not computer
users could also benefit since they would
become aware of the importance of information security, and a culture of information
security would be fostered within the organisation.
Reciprocity refers to the fact that people will
want to return a favour, whether it be real or
perceived. If one does something for someone
else, and then asks them to do something for
you at a later stage, it is more likely that they
will do it than if you had done nothing for
them beforehand. This holds true even if the
initial favour was not requested by them, but
was merely used as a ploy to gain their help at
a later stage (Greenberg and Baron, 1993, p.
360).
Example: A typical way in which this could
be used in the awareness program would be
to ask the attendees at one of the education
sessions to do a great number of tasks when
they leave and then to reduce the number
substantially. In this way they feel that you
are doing them a favour by reducing their
workload, and will therefore be more likely to
carry out your requests.
Conformity
Conformity relates directly to group pressure. Everybody seeks the approval of others
for their behaviour or beliefs. If someone is in
a group situation, and there is no support at
all for their point of view, then it is very likely
that they will adapt their ideas to conform
with the group’s. If, however, there is some
support (perhaps only one other person), then
it is unlikely that they will conform to the
group viewpoint (Greenberg and Baron, 1993,
p. 559).
Example: This can be utilised effectively in
the education sessions. If there are some
people who are very disruptive, or who are
very opposed to the views being put across,
then it would be beneficial to isolate them in
groups of people who are very agreeable to
the views being expressed. In this way additional pressure is brought to bear on these
individuals to change their viewpoints to
those desired by the awareness campaign.
Obedience
Obedience to authority is a rule of society
that is ingrained since childhood. Research
has proven that it is often incomprehensible
the lengths to which some people will go in
order to obey an authority figure. This is
especially true if the person giving the orders
is seen to be an expert in the specific field.
The situation in which the orders are given
also plays a big role. If the possibility of saying no is not even mentioned, many people
assume that they are not allowed to refuse the
request – even though they really could
(Baron and Byrne, 1991, p. 340).
Example: This could be used in the awareness program by ensuring that the presenter
is an expert in information security. The
possibility of not carrying out the procedures
outlined should also not be mentioned to try
to increase the obedience of the audience.
[ 170 ]
Commitment
Another rule of society that is ingrained at an
early age is the fact that one must stand by
one’s word. If you commit to do something,
then you do your utmost to ensure that it is
carried out (Zimbardo and Leippe, 1991, p. 80).
Example: This can be utilised in the awareness program by ensuring that the presenter
gets each attendee’s commitment to try to
apply the knowledge gained in the session.
The commitment could be as a verbal
promise or as a written commitment.
By effectively utilising the above
techniques within the information security
awareness program, the presenter should be
able to ensure that the program is far more
effective in realising its ultimate goal, that of
changing employee attitudes and behaviour
to be more security conscious.
Changing attitudes through a change in
behaviour
The previous section highlighted ways of
influencing a person’s behaviour, regardless
of their attitudes. This section will attempt to
indicate the ways in which using a change in
behaviour can lead ultimately to a change in
attitudes. A change in attitude is also much
more likely to result in a long-term modification of behaviour. The following techniques
can achieve this change in attitude:
Attribution
Attribution refers to the need by a person to
attribute some sort of reason for a particular
form of behaviour. Self attribution is the need
for a person to find a reason why he/she is
behaving in a particular way in a given situation. It is important that the only reason that
can be attributed is a change in attitude
(Baron and Byrne, 1991, p. 80).
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
The previous section discussed instrumental learning and the awarding of a small
token for correct behaviour. If this token is
too valuable, then the person concerned uses
it as the reason for the change in behaviour. If
it is of little monetary value, then it will not
make any sense to use it as a reason for a
change in behaviour. This results in the individual having little option but to assume that
it is a change of attitude that has caused the
change in behaviour.
Self-persuasion
This refers primarily to the use of role playing exercises in the awareness program.
Making someone play a role which supports a
viewpoint different from their own forces
that person to find reasons to support the role
that they are playing. The reasons that they
arrive at will ultimately be far more effective
than any that the presenter could put forward
to convince that person. It is a widely recognised fact that individuals know themselves
much better than anyone else knows them,
and they therefore also are able to come up
with the best possible reasons to change their
own behaviour. A role playing exercise forces
this to happen (Zimbardo and Leippe, 1991, p.
102).
Dissonance
Dissonance refers to inconsistencies between
a person’s beliefs or attitudes and the actual
behaviour being exhibited. This dissonance
causes tension and in order to reduce this
tension either a change of behaviour or a
change of attitude has to take place. Once
again, it is essential that the individual is not
able to justify the behaviour change due to a
large inducement (money, threats, etc.)
(Greenberg and Baron, 1993, p. 161).
The above has highlighted a very important
fact about attitude and behaviour change. It is
possible that a large inducement will result
in a change of behaviour, but the chances are
that it will not be a permanent change, nor is
it likely to result in a change of attitude. A
change of attitude is ultimately what is
wanted from this program, since it will then
ensure a change in behaviour.
Changing attitudes through persuasion
The previous two sections dealt with methods
of changing a person’s behaviour, and ultimately their attitudes. They used techniques
which almost “tricked” the individual to
change their behaviour, which then in turn
resulted in a change of attitude. The preferred
method to use, however, is first to persuade
the individual to change their attitude, which
will then result in a permanent change of
behaviour. In order to persuade someone, the
following need to be achieved first:
Exposure
In order to persuade someone of something, it
is necessary for them to listen to the message.
It is also unfortunately true that people tend
to “tune out” any messages which do not
agree with their beliefs. This is known as
selective exposure (Zimbardo and Leippe,
1991, p. 138).
Example: In an information security awareness program, the mere fact that employees
are being forced to attend an education session ensures that they are exposed to the
necessary information.
Attention
This is similar to “exposure” above, in that an
individual will pay closer attention to a message that supports their attitude. This also
refers back to dissonance theory in that a
person who pays attention to a message that
does not agree with their beliefs will be
increasing the dissonance within themselves;
hence the tendency to pay more attention to
messages that agree with their beliefs.
Example: In order to hold the audience’s
attention during a presentation, it would help
to regularly remind them of the following
(Zimbardo and Leippe, 1991, p. 147):
• the information is useful and new; and
• if they think about it carefully, the information may not be as different from their
beliefs as they had thought.
Comprehension
It is useless to have the audience’s attention if
they cannot understand what is being presented to them. The medium used to transmit
the information is also crucial at this stage.
The more complex the message, the more
likely that printed media will be more effective since they could then go over the subject
matter repeatedly and in their own time to
ensure that it was properly understood. Conversely, the less complex the message, the
more likely that broadcast media (spoken)
will be more effective (Greenberg and Baron,
1993, p. 159).
Acceptance
Gaining someone’s attention and ensuring
that they have understood the message is not
the end of the battle. It is necessary for the
individual to accept the message, i.e. to
achieve the sought-after change in attitude.
There are a number of factors to consider at
this point (Greenberg and Baron, 1993, p. 159):
• The quality of the message or argument
being put forward must be able to withstand any scrutiny from the audience. If
they cannot discredit the message, then
they will be more likely to accept it;
• Since the audience will use their own
knowledge and attitudes as a comparison
[ 171 ]
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
for the presenter’s arguments, it is important for the presenter to know something
about the audience so that his/her arguments can be structured in such a way that
there is more likelihood of them being
accepted;
• If an audience’s attention lags, as is likely to
happen at some stage, it tends to take a
more heuristic route to accepting or rejecting the message being put forward. This
entails using “rules of thumb” to make a
decision. In this situation the presenter’s
status becomes more important than the
quality of argument. It the presenter is seen
to be an expert, then the audience will be
more likely to accept the arguments being
put forward (Baron and Byrne, 1991, p. 151).
Retention
Retention deals with ensuring that the attitudes are retained for a significant length of
time. There are a number of techniques
which could help to ensure this (Zimbardo
and Leippe, 1991, p. 181):
• repetition of important facts during the
presentation will help to ensure that they
are more likely to be remembered;
• ensuring that the attitude was arrived at
through systematic methodical analysis
means that it will be well-connected to the
interrelated attitude systems of the individual, and will therefore also be well retained;
• if two opposing arguments are presented
one after another, and a decision must be
made, then the second argument tends to be
more persuasive since it is fresher in the
mind.
In this section a number of psychological
issues were identified that can effectively
change the attitude and/or behaviour of people. Seeing that in most cases this is precisely
what one would like to accomplish in a security awareness program, these issues should
be integrated into such a program to make it
more effective.
Social psychology in security
awareness
The previous section highlighted some of the
social psychological techniques that could be
pertinent to an information security awareness program. This section will focus more
on the awareness program itself, and will
attempt to show specifically where certain
techniques would be of value.
As was highlighted earlier, the profile of the
user has changed significantly over the years,
and an end-user today could be anyone from
the CEO of the organisation to the lowest
clerk. Previously, the use of role playing exer-
[ 172 ]
cises and the use of examples related to the
employee’s own work situation were suggested as good techniques to achieve the
desired outcome. Since the end-user could
vary to include all levels of the hierarchy
within the organisation, it makes sense to
ensure that the groupings include people
from a similar level in the organisation. This
would make it easier to have a role playing
exercise, as well as using examples, that were
relevant to the work situation with which
they were familiar.
The awareness program should be divided
into a number of short education sessions.
This would help to ensure the employee’s full
participation and attention. Some of the
advantages of short sessions are:
• participants are more relaxed since they
are not removed from the workplace for too
long. They are not going to get far behind
with their normal workload;
• previously it was highlighted that people
tend to “tune out” if something does not
grab their attention or if it is too long. This
is eliminated because the presentations can
be short and to the point, thereby having a
far greater impact.
There would be some form of commitment
required at the end of each session, i.e. participants would have to give a preferably written
undertaking to implement whatever they
learned in that specific session. This would
satisfy the commitment technique
highlighted earlier.
An evaluation of the participant’s adherence to the material covered would be necessary. This could take the form of direct observation by the course presenter or by a colleague of the participant. This observation
should preferably occur without the participant’s knowledge. Alternatively, each participant could give a report-back on what they
have done since the previous education session to ensure that they implemented the
topics covered previously. Those who successfully implemented the techniques would
receive a small token as an indication of their
adherence. These tokens, as mentioned earlier, should be visible but of no great monetary value. The type of token envisaged is one
of the following: mouse pad, coffee mug,
paper weight, note paper pad, etc. These
tokens would each bear a message relating to
the topic covered in that particular education
session. This would refer directly to the technique “shaping” and “instrumental learning”
highlighted earlier.
Each of the education sessions should cover
more topics than actually required. This
would make it possible for the presenter to
make use of the “reciprocity” technique by
M.E. Thomson and
R. von Solms
Information security
awareness: educating your
users effectively
Information Management &
Computer Security
6/4 [1998] 167–173
getting a commitment from the participants
to implement all the techniques covered, and
then reducing it at the end. This would give
the participants the impression that the presenter had given them something, which
would then make them more determined to
carry out the other tasks that they had to.
It is also of crucial importance that the
presenter of these sessions be an expert in
information security as well as being well
presented. This is crucial since if a person is
not convinced after all the efforts of the presenter, they very often resort to heuristic
judgement whereby they use a “rule of
thumb” to decide whether or not to accept the
presenter’s arguments. These could come
down to whether they see the presenter as an
expert or whether they like them or the way
they are dressed. Heuristic decision making
may sound unlikely, but it is something that
should not be taken lightly.
This section has attempted to show the
structure of the awareness program as well as
where some of the psychological techniques
could be implemented effectively. Some of the
techniques highlighted earlier have not been
included directly in the section on the awareness program. These are techniques which do
not relate to a specific area of the program,
but can be applied wherever the presenter
deems relevant. It is merely necessary that
they are made aware of them so that they can
be applied in the right situation.
Conclusion
This article has highlighted the need for an
effective information security awareness and
training program within most organisations.
In order to be more effective, these programs
need to be tailored to address specific group-
ings of employees within the organisation,
namely top management, IT personnel, and
the end-user.
Most programs in existence today focus
almost entirely on the end-user. The methods
of presentation, however, result in them not
being as effective as possible. The introduction of some of the techniques developed over
many years of research in the social psychology field can have a significant impact in
making this part of the program more effective.
In conclusion, security awareness
programs need to be implemented in organisations, those already in existence need to be
expanded, and social psychological principles
need to be introduced to improve the effectiveness of the program.
References
Baron, R.A. and Byrne, D. (1991), Social Psychology – Understanding Human Interaction,
Allyn and Bacon, Boston, MA.
Greenberg, J. and Baron, R.A. (1993), Behavior in
Organisations, Allyn and Bacon, Boston, MA.
Haber, A. and Runyon, R.P. (1986), Fundamentals
of Psychology, 4th ed., Random House, New
York, NY.
Kabay, M. (1994), “Psychological factors in the
implementation of information security
policy”, EDPACS, The EDP Audit, Control,
and Security Newsletter, Vol. XXI No. 10, pp. 110.
Schaeffer, H. (1987), Data Center Operations, 2nd
ed., Prentice-Hall, Englewood Cliffs, NJ.
Shelley, G.B., Cashman, T.J., Waggoner, G.A. and
Waggoner, W.C. (1992), Complete Computer
Concepts, Boyd and Fraser, Danvers.
Zimbardo, P.G. and Leippe, M.R. (1991), The Psychology of Attitude Change and Social Influence, McGraw-Hill, New York, NY.
[ 173 ]