A while back, I heard a presentation by a parenting coach. She had a novel idea for the parents in the room who were seeking ways to make their children behave. Most of the parents told stories of how they always have to correct their children and give them a “time-out” for doing something bad. She asked the parents how often they “catch them being good”.In the infosec community, it seems that we act very much like those new parents, spending far too much time chastising and criticizing our patrons for all of the things they do wrong, such as using weak passwords, implementing poor Wi-Fi security configurations, and clicking before thinking. Perhaps it is time for us to practice some positive techniques as well to shift the focus towards reward rather than punishment.How can we do this? First, let’s move away from referring to everyone who is not a computer professional as a USER. The only other place where people are referred to as users is in the drug trade. These folks are our patrons without whom we would be jobless. Something as simple as that re-classification can have a dramatic effect towards making a person feel that they matter to the overall security process.Next, I have found that our pearls of security wisdom are best received as casual mentions rather than as some of the usual inculcations about all online evils. In my own experience, I have seen even the most hard-hearted hedge fund manager smile when complimented for something as simple as locking the computer screen before stepping out for lunch.Another method that works well is to pose the security message as a question. When a person mentions that they are going to work using the free Wi-Fi at the local coffee shop, rather than stating the directive “make sure you are using a VPN”, why not try phrasing it as a question along the lines of “hey, which VPN do you like to use on those public hot-spots?” I am not so quixotic as to think the answer will be anything other than “what’s a VPN?”, but notice what has happened. Rather than the usual grunt and dismissal that we usually receive when we are issuing our directives, the tone has shifted, even if just so slightly, towards a conversation. The person to whom we are speaking may not immediately drop what they are doing to learn about some of the consumer-grade VPN products, but the potential is much greater than our current approach. A review of recent news showing all the passwords being easily cracked and the successful phishing campaigns clearly indicates that our previous trajectory has not been reaching the target.I am reminded of the quote by Maya Angelou: “I’ve learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.”If we can shift our approach to teaching security by making it part of a conversation instead of a lecture and to one that recognizes when people practice good security, we will all benefit as a result. Remember, let’s catch them being good.
About the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Title image courtesy of ShutterStock