I read this article in dis-belief. I do not think shaming should be used as a technique in Security Awareness. I worked for a boss that one time wanted to advertise bad actors when it came to security UNTIL that bad actor was the CEO of the company. He changed his mind quickly.
I am not sure how the research was done.
What do others think?
d
Good day, d;
I see your point, but I also disagree. The CEO you mentioned is doing a disservice to the company they represent. At all times, in all discussions of cybersecurity, one of the unwavering rules is that Security starts at the Top. I would be interested in knowing whether that CEO has ever heard of SOX, nevermind whether they knew they understood cybersecurity.
Case in point: I worked for an organization where the CISO and I - the Director of Cyber Governance, Risk, and Compliance - made it clear that if any of the staff caught our desktops unlocked and unattended, the faulty party would buy lunch for the entire team. In 18 months, the CISO bought 3 team lunches (no one ever caught me). Truth be told, the CISO would purposely walk away and watch to see who would check his desk, but that's beside the point; he applauded when people took a photo of his screen, and then have his desktop locked. The cost of the lunch was worth the team building.
The staff would check on the other senior managers' desktops and their peers, too, ensuring compliance. It became a contest : who can catch Larry or Jane with the desktop unlocked.
If anyone is shamed for being careless with Phishing, they need to ask themselves why they aren't more careful.
Nothing wrong with identifying that which is effective, but in selecting what to implement, one must select options that are legal, ethical/moral and effective (in that order).
Therefore I feel any discussion ought also include the ethical and legal (e.g. potential slander) aspects.
That said, the article may do that - I don't know due to a paywall.
Having put way too much effort into researching security behaviour, and more specifically policy compliance for the last 6 years i must say:
Be VERY careful with the research.
This kind of research derives a model from theory and then tests the theory. But this view is very limited.
If you go out on the street right now, with a certain assumption about people and you walk around you will be able to at least partly confirm this assumption.
Theory based testing is established, and scientifically sound but it only provides plausible generalizable results if:
- The theory has proven its validity over time
- The methodology has proven its validy over time
This is the case in most parts of physics, chemistry, biology, since they have been around long enough to have these discussions. Sociology, socio-psychology, psychology, economics, computer science, information systems, and ultimately information security have not been around that long, and are yet to have these validity discussions in depth.
In 2015 i conducted a meta analysis on security behaviour. A researcher from sweden, Sommestad did the same (independently). We both found that there are no consistently applicable theories in this topic...
Sometimes models check out. Sometimes they don't.
In the meantime and being in applied research in germany, i am also consulting with industry customers (Actually i am "just" a consultant working on a degree, some publications and fancy words 😉 ). There i have found that it makes much more sense to discuss the behavior in light of the employees.
Tl;dr: Shaming CAN work. But that depends on your employees. And as with any approach on behavior control. If you can live with losing your employee, or at least their trust you can of course try approaches such as shaming, deterrents, sanctions, threatening.
But if you can't such things should be a last resort. Not a valid tactic.
I've a hunch that this may work for situations in which the actions of the employee are clearly self attributable; such as leaving highly classified material on an unattended desk or walking away and leaving a screen unlocked, but when another party is trying to socially engineer an employee, it's far too easy for the employee to attribute the blame to the social engineer rather than themselves. In that context trying to shame them, might not be effective and generate resentment as being unfair. Generally, if an employee has caused a security incident the first approach should show some understanding in order that the facts can be quickly established. To have to person who was the proximate cause of the breach on the defensive is almost always counter productive. Ideally you'd want the person to come forward and report what had happened and I'm far from convinced that making someone feel ashamed of an honest mistake is ever going to be effective in the long term.
Well it depends....
Having a "one method" fixes everything can be a dangerous proposition.
I coach youth sports, and having 3 daughters, have coached mainly girls sports. One of the things I learned from a winning college softball coach was this "Boys have to PLAY good to FEEL good, Girls have to FEEL good to PLAY good." So while shaming might work well with one demographic, it can have negative or the opposite effect on another demographic. Also you may not know what is going on in people's lives. During one of our championship games, one of my all-stars was having the worst game of her life. I pulled her aside to ask what was going on. I could have been "that" coach that yelled and "shamed" her, thinking that method might lead to better performance, but I didn't. I asked her what was going on. With tears in her eyes she told me that her parents had informed her right before the game that they were getting a divorce. That taught me a valuable lesson. Find out the why.
When I have someone who clicks on a phish, I go ask why. Why did you click on this? Was it carelessness (i.e. just clicking emails open to clear their inbox)? Was it intentional (i.e. clicking on a get rich quick scheme)? Was it accidental (i.e. attempting to click on another email and the cursor jumped or another email came in)? Were they duped (i.e. an effective phishing email)?
If you just go in there shaming them you MIGHT get short term results but I guarantee the long term results will be poor along with the hit to morale. So, no, I do not think shaming should be the first or only choice. Perhaps if they kept being a repeat offender then shaming might be an option to see if it would work for that individual.
@SebastianK wrote:Having put way too much effort into researching security behaviour, and more specifically policy compliance for the last 6 years i must say:
Be VERY careful with the research.
This kind of research derives a model from theory and then tests the theory. But this view is very limited.
If you go out on the street right now, with a certain assumption about people and you walk around you will be able to at least partly confirm this assumption.
Theory based testing is established, and scientifically sound but it only provides plausible generalizable results if:
- The theory has proven its validity over time
- The methodology has proven its validy over time
This is the case in most parts of physics, chemistry, biology, since they have been around long enough to have these discussions. Sociology, socio-psychology, psychology, economics, computer science, information systems, and ultimately information security have not been around that long, and are yet to have these validity discussions in depth.
In 2015 i conducted a meta analysis on security behaviour. A researcher from sweden, Sommestad did the same (independently). We both found that there are no consistently applicable theories in this topic...
Sometimes models check out. Sometimes they don't.
In the meantime and being in applied research in germany, i am also consulting with industry customers (Actually i am "just" a consultant working on a degree, some publications and fancy words 😉 ). There i have found that it makes much more sense to discuss the behavior in light of the employees.
Tl;dr: Shaming CAN work. But that depends on your employees. And as with any approach on behavior control. If you can live with losing your employee, or at least their trust you can of course try approaches such as shaming, deterrents, sanctions, threatening.
But if you can't such things should be a last resort. Not a valid tactic.
Sebastian,
I love your comments here because they support the foundation of my own security compliance research as published in my (open access) dissertation in 2014,
Reasons for non-compliance with mandatory information assurance policies by a trained population
If you had not used it in your 2015 review, I recommend you consider adding it to your reference list now.
My actual research effort was simple to simplistic: I asked respondents why they did not follow some basic security rules, but I did so without priming them or providing pick-list responses based on any single or set of compliance theories. At the time, after extensive literature research, I could find no compliance research in either security or safety that had not been based on, and aimed at, a particular human performance theory.
To make matters worse, I discovered so many human performance theories, listed in my publication and summarized in a couple of other cited works, that it was clear there currently is no validated theory on which to predict likelihood of compliance or reasons for non-compliance.
You may find the tables in my dissertation, to include one used by permission from a previous dissertation, as informative in your own analyses.
I also note your distinction between the "hard" physical sciences and the newer social sciences. As a physical scientist (chemist) I learned the importance of designing experiments to test hypotheses based on theory, as opposed to the scientifically dangerous use of experiments designed to prove such hypotheses. Yet going back as far as an undergraduate course in Adolescent Psychology 201, I have been dismayed by the preponderance of social science research designed to prove hypotheses (and the underlying theories) rather than test them. In recent years I have noted some social science research that does follow the prescription to test rather than prove, but they seem still in the minority.
If you would like to continue our conversations on these topics, please e-mail me directly, so we do not have any social medias site as an interlocutor.
Craig
There are a lot of replies and I'm a bit tired so I have not fully read them all. I also could not read the article because of the paywall, but I would like to say something. I believe that shaming is not a good thing when it is not warranted. Many moons ago a worked for a large company and there was a person at a remote site that simply needed to change the backup tape in the drive every day. This was often not done so there was never a consistent backup for that site. What I wanted to have happen when any day operations saw the tape was not changed to call the person and ask if where aware tat the tape had not been changed. I had no intention of shaming the person for it but more of a reminder. Sadly they did not like the idea and the backups continued to not be performed.
My take on things is to try to laugh about them. If you go, oops so and so clicked the bad link I guess we need to show everyone how he missed it! I see it as we all make mistakes and we need to education, not shame people. If we shame people I believe they will try to hide what happened instead of coming forward.
John-
Where are all of the responses from our East Asian colleagues? Many cultures not only accept public shame as the status quo, but also rely on it to reinforce a sense of morality and good behavior. Every culture has norms of acceptable behavior and in every population of large enough size there will be people who buck the norm outright and many others who secretly reject and rebel against that norm. It is often only when their "misdeed" is brought to light that they are able to accept responsibility. Whether or not this leads to "improved" future behavior or compliance with a norm is debatable.
The effectiveness of shaming depends as much or more on the national culture as it does company culture. I would say that generally there is a world-wide trend to discard traditional values and accept all behavior, though where the line is drawn as to what is considered unhealthy or damaging to an individual or organization is still based more on personal religious and social values than on company values. People who embody words like "Rogue", "Renegade", "Disruptor", and "Rebel" are often idolized regardless of which side of the morality fence they are on. Compounding this truth is the fact that it all depends on your lens and perspective and that can change.
I imagine that the problem of training a workforce in a large MNC that is geographically and socially diverse with varying responsibilities to recognize which actions could be potentially damaging to a corporation and then respond in a certain way is not only challenging, but may be impossible if the goal is to have a centrally-managed program or tool that accounts for all potential targets and scenarios. It may be more effective to let regional leaders determine an appropriate course of action and adapt to their circumstances and environment. I could even suggest that in some cases a special warfare approach to gaining allies and changing behavior should be taken. People either have interests that are aligned with the organization's goals and are working together to accomplish some shared vision or they do not. Unfortunately, this can change with alarming frequency given the right incentive. Most people however are not so easily bought or swayed and adhere to an internal moral structure that does not change quickly and can either be reinforced or degraded over time. The fundamental issues of trust, loyalty, allegiance, and motivation should not be overlooked when trying to understand or alter a person's behavior.
By the way, this is not a problem exclusive to or new to information security and extends beyond public/private organizations. Securing information and preventing "leaks" or errors that lead to exploitation of vulnerabilities has been and will continue to be essential to every successful business, military, revolution, competition, race, sporting event, strategy, partnership, venture, and discovery. What a problem we face!