Humans are often called the weakest link in the security of an organization. The reasons could be carelessness, accidents, susceptibility to social engineering and even maliciousness. As an organization’s security fortress could be considered only as strong as it’s the weakest link, and with “insider threats on the rise” [1], it is necessary for the Information Security team to work on making each employee aware, vigilant, and proactive about security.
Some of the ways employees could be influenced are-
1. Communication from the Top Management – having got the very necessary managerial buy-in, communication from the c-suite executives to the employees about policies and mandatory training programs will go a long way in influencing how the employees view the importance of information security.
2. Ramifications and Enforcements – A company which needs to be compliant with HIPAA, FERPA, COPPA, SOX, or the PCI DSS requires strict information security policies which address the penalties for violations, amongst other elements.
Employees who are made aware of the repercussions of information security lapses and violations, and the ramifications, and company policy enforcement, will be influenced to treat security with the seriousness it deserves.
3. Awareness of being monitored – Making public the monitoring of employee computer activity goes a long way in influencing computer activity and their treatment of digital information. It should help in reducing policy violations.
Some of the ways employees could be motivated are-
1. Interactive and fun training programs – The InfoSec team can use a host of creative material to make the training relevant, focussed, fun and interactive, even while being educative.
2. Public appreciation – When an employee is proactive with information security – for instance, reporting of spam/phishing emails, or reporting a bug in the system, lauding their efforts should motivate them.
3. Competitions – Fun competitive activities between teams or individuals based on the training they’ve undertaken, will keep employees engaged and motivated. Prizes and monetary incentives can further help.
Authors Sikolia and Biros, in a paper on “Motivating Employees to Comply with Information Security Policies” present the following pictorial framework for “improving employee compliance with information security policies.”[2]
Footnotes:
[1] Survey Shows Insider Threats on the Rise: Organizations Experience an Average of 3.8 Attacks per Year. (2015, June 26). Retrieved from http://www.darkreading.com/vulnerabilities—threats/survey-shows-insider-threats-on-the-rise-organizations-experience-an-average-of-38-attacks-per-year/d/d-id/1321069
[2] Sikolia, D., & Biros, D. (2016, May 19). Motivating Employees to Comply with Information Security Policies [Framework for improving employee compliance with information security policies]. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1012&context=mwais2016