In order for an organization's compliance program to be fully effective, all users must learn, understand, and adhere to the established policies and guidelines. However, motivation is key to getting that to actually happen, and the typical methods usually involve some form of personal gain or fear tactics. These methods are rather limiting in their effectiveness, so exploring other options could be extremely vital to the future of implementing information security compliance programs.
Offering some sort of incentive for completing training or achieving a certain level of compliance only encourages users to rush through everything. More emphasis is placed on the reward rather than understanding why these policies and guidelines need to be followed. It needs to be gauged whether the users actually learned what they were supposed to or just went through the motions to reach the reward. In addition to its ineffectiveness, giving rewards can be costly. It takes a certain level of value for the reward to actually motivate users. Everyone will try harder for a $50 gift card versus a $5 gift card, and any monetary value is more motivating than a printed certificate. Along with the value of the reward, the greater chances of obtaining the reward means greater encouragement for the users. Why would someone put in all their effort if their odds of winning the reward are only 1 in 1,000? When resources are already scarce, this can potentially drain available funds for other compliance program training activities and events.
As for fear tactics, one has to scare the user into practicing good online safety habits and following policies. Sharing horror stories of others’ misfortunes and information security downfalls encourages the user to not want to make the same mistakes. They will want to protect themselves, their reputation, their accounts, and their sensitive data to avoid such costly mistakes and therefore will believe they need to precisely follow the policies and guidelines to stay safe. However, these stories are everywhere and have been heard a million times. Users will not be shocked to hear that these things happen but at the same time believe that it’ll never happen to them. It will be just another news story about someone who is completely different from them and from somewhere they’ve never heard of.
In order for a technique to be more effective than personal gain or fear tactics, it has to avoid the main problem of disillusioning the users. For personal gain, it’s that the only reward for following policy is that one gift card or certificate. For fear tactics, it’s that the consequences of not following policy is just a myth. New methods need to explore motivating users for the right reasons and enabling them to really understand why things should be done a certain way.
One proposed new method is using simple peer pressure. If everyone is doing it, then they should too. However, this will require a little effort in changing company culture. The responsibility to learn and apply information security policies could be moved from each individual to a more team-based approach. The teams should consist of peers — not the more typical office organization of a manager leading a team of subordinates. Regular company or department-wide meetings, programs, and events on information security policy can still occur unchanged, but more team-focused ones should be planned as well. At these team sessions, all members should be encouraged to participate. They should engage in discussion and ask questions of each other and the instructor. Certain topics can be brought up, such as how each member currently handles information security, and then open it up to the rest to examine what works, what could be improved, or why certain policies are needed. If this sort of program is successfully set up, then team members will be learning from and teaching each other. This peer-based conversational approach may be more appealing than the usual lecture method. This method also puts more emphasis on normalizing information security and its importance, therefore removing any misconceptions and confusion that other techniques may generate.
This proposed technique aims to be more compelling and practical for getting users to master and adopt information security policies. It goes above just rewarding certain actions and trying to scare people into adopting safe habits. By making it a peer discussed and reviewed topic, information security policy will have a profound office-wide presence that will continue beyond the training sessions. The benefits of a strong and prevalent culture of information security can be recognized across the organization, since it protects not just the users but also the data and assets of the organization.
Caitlin Campbell is an undergraduate student at the University of Pittsburgh.
© 2017 Caitlin Campbell. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.