- Security TWENTY
- Women in Security
Just under a year ago, I reached out to my professional network to help identify a methodology to create an employee security awareness programme, writes Frank Cannon, who was among the speakers at the UK Security Expo 2016.
By combining the advice received and through further research, I have developed — and road-tested — the following behavioural based security programme.
The aim is to engage the entire workforce and to change their behaviours so that they contribute to the creation of a secure environment. Whatever they do for the organisation, we want them to act and think in such a way as not to create unintentional security vulnerabilities or unwittingly provide an opportunity for an adversary to mount a successful attack. We want to create an organisational culture where secure behaviours are synonymous to how we do business and not seen as a separate business function or service.
So, how do we start? Like every element of an efficient security operating system, the journey begins at the risk register. If we want to focus the combined power of the employees in the best way possible, we must first identify what our key security messages are. These messages will communicate the most important behaviours we want the workforce to adopt to ensure we are addressing the most significant risks? If a desired employee behaviour does not support the pre-determined risk mitigation strategy then, arguably, it should not be part of the awareness program.
When I mention ‘employee behaviour’ within this article, I am talking about the action that an employee can take to either prevent, or mitigate, a gap in the workplace security plan. We ask for vigilance to identify and report suspicious people, vehicles or objects; we ask employees to lock their doors, close windows and secure sensitive documents at the end of the working day; we ask everyone to display their company identification badge when in the office and encourage them to politely challenge those that don’t; and we ask users to lock their computers to their desks using a Kensington lock and not to share their passwords. These are all simple behaviours that, if repeated every day, help create a secure culture.
Effective awareness programs will communicate these types of simple, common-sense, behaviours to the workforce. It’s worth grouping these behavioural-based key messages together under headings such as or by: location, employee groups, activities being performed, or simply by risk type. Previously, I’ve clustered my key messages by subjects such as: travel security, office security, home security, cyber security, factory security, construction site security, marine security, or public area security. Alternatively, you can group your key messages by activity or risk type such as: vehicle damage; material control; theft prevention; incident reporting; or emergency response. I then create five or six key messages for each cluster thus providing me with 50 to 60 key messages that set out the behaviours that I want my workforce to perform. Clearly, some behaviours will address more than one risk. Key messages can also contain critical information and not necessarily be behaviour based. Notifying the workforce of a company emergency telephone number or methods to report events to the company confidential helpline are two such examples. Remember, you can’t buy an off-the-shelf awareness program that fully addresses your organisation’s security risk mitigation strategy.
Ok, I now have my key security messages but how do I communicate them?
The first aspect of this challenge is to ensure the messages resonate with the audience – assuming, of course, that you have appropriately identified who they are. I achieved this by considering the following criteria:
The security advice provided to the employee should be closely connected and appropriate to the activity being undertaken. There is little point running a campaign to reduce the risk of copper cable theft at a construction site when the workers are assembling cars on a production line. Likewise, minimal value is gained by discussing the risks associated with terrorism on a fruit farm in Wiltshire. If the employee doesn’t believe the risk is likely to happen then they are unlikely to adopt the desired secure behaviour.
The significance of the advice given or the value the recipient places on that advice will determine the effect it has. Clear, brief and critical messages that explain how the recipient is to behave are most impactful. The message must be important to the audience to enable them to be successful. Mitigating a risk that causes lost productivity or excessive cost is important to a leader or manager whereas, the theft of a critical tool or instrument that prevents a craftsman from finishing his task on time and subsequently receiving a completions bonus is more important to the artisan. Use an appropriate motivator to elevate the level of focus you desire from the recipient of your message.
The advice must also resonate with the audience and encourage an emotional connection. By demonstrating a personal benefit of a secure behaviour the employee is more likely to adopt this behaviour. Linking the loss of a work-site handheld radio with the inability to call for help in a life-threatening medical emergency is much more impactful that merely stating the monetary value of a replacement radio. An individual’s motivation is increased when their personal well-being it at risk.
Your audience will be a diverse mixture of individuals or stakeholder groups, each one of which think and behave differently. Therefore, your program requires an equally diverse set of communication tools. Remember, some stakeholders are more influential than others and small changes in their secure behaviours will have an exponential effect on the success of your program. The second challenge on how to communicate with the workforce is to select the right communication tool for the right stakeholder.
Essentially, I use three types of communication methods (tools): electronic, physical and interpersonal interactions. I create a security advisory, an alert, a video, a slide deck, a poster or an aide memoir which I then make available to my organisation’s workforce supervisors. The cross-functional supervisors themselves are a very important stakeholder group as I want them to communicate secure behaviours to their teams and not rely on a security specialist to deliver a security message. There is an expectation that secure behaviours are intertwined into the standard operating procedure —whatever the routine tasks are. Again, to emphasise, I think that delivering security is not an additional task that one does after completing their ‘real’ work — but more an approach taken to ensure the work is completed in a secure way.
It is my belief that a management endorsed security risk mitigation strategy (or plan) should have a corresponding security awareness campaign that consists of the necessary communication tools to encourage employee participation. Which tools to use when, and how they are delivered, is the subject of another discussion but, I advocate the messages to be communicated must be consistent, simple and encourage intuitive behaviours that add real value to a secure environment.
Finally, to enable you to demonstrate the value, you must pre-agree with the program sponsor how you intend to evaluate and report success. This will help prioritise your efforts and define your success factor from the outset. Please remember, U R at the centre of secURity.