Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 25

Security awareness programs fail when they treat security as a should-do task and not as a must-do task. Security becomes a mere should-do task when programs seek to influence people to behave securely. These programs attempt to influence users to do the right thing by providing them with more information. Security becomes a must-do item only when users appreciate the consequences of their failings.

Consider awareness programs for sexual harassment, financial compliance, and similar issues. These programs don’t try to influence people to do the right thing — they inform users of their job requirements and the consequences of failing to meet those requirements. Failing to meet financial compliance requirements (such as properly filling out time cards, for example) can result in employees not being paid.

Compliance with a security awareness program that can prevent company operations from grinding to a standstill from a ruined computer network is something that, similarly, must be treated as, well, a must-do task. Security behaviors should be embedded within all business practices — not just added to the process. For example, when you’re authenticating a user for a system, the security checks should be, not an addition to, but rather an embedded step within the overall practice. It isn’t a separate function.

Ruining the company computer network typically has far-reaching implications that are difficult to recover from. Yet desired cybersecurity practices continue to be treated as a should-do task. If you want your awareness message to be conveyed and followed, you need to portray your message as a must-do task. In other words, proper security-related behaviors aren’t optional — they’re required, just like all other business functions. Let me be clear: I am not saying that you personally should make the behaviors a must; good security practices are likely an organizational mandate.