harnessing the human side of security
Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged [...]
Podcast: Play in new window | Download (12.9MB)
by Joe Knape There are a lot of opinions about security awareness programs, what they should look like, what they should cover, whether they work at all, etc. Recently you’ve even read a few posts on the Security Catalyst blog about awareness training. In addition, there has been a lot of “research†and pontificating about [...]
By David McCartney If you that follow on me on twitter (twitter.com/iamthedavil), you may be aware that my Information Security (InfoSec) group is in a bit of a project holding pattern for the foreseeable future due to too many projects and not enough people or funds. Like many companies, we are being asked to “do [...]
By Dennis Kuntz When I was first asked to write a post on “Security Awarenessâ€, I began really to think what is meant by “awarenessâ€. The conclusion to which I came was a little frustrating: Too often folks think of awareness as an end in itself  – as if making folks aware of something is [...]
A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information…. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications…. In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith…. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior…. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA)…. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed.
The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, and important factor is useful feedback, presented in a meaningful way to the end user. Many of the security awareness training programs we evaluate use measures to point out when users do something wrong – for example, using pink or red tape flags or other notices when people violate a clean desk policy.People are then surprised when these measures fail. Put yourself in their shoes – do you like being told you’re wrong all the time?… USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K…. Turns out that people looking to lose weight through increased movement get good results when they use a pedometer. they have a challenge and an external tool helping them keep trackthey write their progress in a journal, which has three distinct benefits1…. they have a record of their events, so they can establish a trend and measure progress (or understand lack of progress)3. they establish a challenge for themselves – and a good (and reasonable) challenge motivates!While the motivations for losing weight and protecting information may be different – how would your security awareness training be improved if you provided user-friendly feedback that could reinforce behaviors?
Michael Santarcangelo is the catalyst* called upon to deliver successful results when others have struggled and failed to harness the human side of security. Blending a degree in human ecology with … [Read More...]
Effective communication of security ensures that whether written, spoken or blended across delivery options efforts are positioned to reduce friction, bring technology and business objectives into alignment and inspire those we serve to … [Read More...]
Engage with Michael Santarcangelo