What We Have Here Is…A Failure To Communicate

By Joe Knape

A few weeks ago I posted about helping users pick longer, easier to remember passwords. RonW, in the comments, wondered about the best way to get users to “do the right thing”. This post is my take on how that can be done.

I’m not up on the latest Security Awareness techniques but it appears that they typically fall into one of two forms:

1. Mandating: meaning that some group of managers or other executive leadership demands that things be done (or not done) in a certain way, or else.

2. Marketing: meaning that a group, either internal or external, develops a security awareness campaign that can run the gamut from simple to complex and include everything from posters and emails, to screensavers and mouse pads, to security road shows. Everything is slick, colorful and pithy.

Security Awareness has become big business for some companies and corporations are spending big money to try and get their users to “do the right thing”. Unfortunately, based on the latest in a long line of polls and report findings, neither of the two approaches described above appears to be very effective. User action, both intentional and unintentional, continues to be one of the leading factors of security concerns for companies of all sizes.

I’m not saying that Mandating and Marketing don’t have their place. In fact, Mandating can sometimes protect an organization from certain types of legal action.

What I am saying is that there just might be a better way.

What I describe below leverages some of the insights of social epidemics that Malcolm Gladwell describes in his book “The Tipping Point”. Essentially, social epidemics occur when a small group of select individuals with specific characteristics make them happen, either intentionally or accidentally. He calls this “The Law of The Few”. Gladwell identifies three distinct personality traits that he feels are essential to the success of a social epidemic: Connectors, Mavens, and Salesmen.

Connectors are those people who, in Gladwell’s words, have a “truly extraordinary knack of making friends and acquaintances”. For our purposes these are the people who seem to know everyone in the organization. When we need to establish communications outside of “official channels”, we ask this person to make the invitations.

Mavens are defined by Gladwell as someone who has helpful information and is not only willing but wants to tell others about it. Guess what, you and your security organization are, or need to become, the mavens. You have the helpful information and now you must be willing to share it with others.

Salesmen are the persuaders. These are the individuals who have the ability to convince people to do things even when those people might be skeptical of results.

We have to become Mavens of what the right thing is. We have to communicate those things to the Salesmen in our organizations and get those Salesmen in touch with the Connectors. Only then can we have any hope of making fundamental changes in the behavior of our users.

I’m not saying that this will be quick or easy. In fact, it is likely to take much longer than any of us wish.

What’s interesting about this technique is that it can happen in conjunction with other security awareness programs or efforts that might be underway in your organization (as long as you’re not recommending different things of course).

Word of mouth can be a powerful force and if the right mouths say the right words to the right people it can change the world, or at least the organization.