Last Updated on 2022-08-20 by Joop Beris
As a parent, I’ve made it a point to never tell my children they won’t be able to accomplish something. I don’t encourage them to be reckless or foolish, to be clear. But if one of them tells me that they want to learn a certain profession I tell them they should go for it, work hard in school and follow that desire. I like that they have dreams and goals and motivation helps them to accomplish those. Motivation helps us to plan, to grow interests, develop talents and boost our engagement.
Professionally, in information security, I continue to see the opposite: people referring to humans as the weakest link in the security chain. I don’t like that approach because I think it is counterproductive.
People are the weakest link
Don’t get me wrong, I know perfectly well that people usually are the weakest link. It’s with good reason that most ransomware attacks start with a phishing email. It’s easy to fool a human being and with phishing and other forms of social engineering getting ever more sophisticated, this is unlikely to change in the near future.
Even though people are the weakest link in information security, I don’t think it’s helpful to point this out all the time. I’d much rather have the humans who use information systems on my side and involved when it comes to information security!
Why I don’t like the “weakest link” mantra
There are a couple of good reasons why I don’t like the “weakest link” mantra. It’s those reasons that made me stop using that approach. Let me list them below:
- It makes people feel powerless
Even if a statement is not true, if we hear it often enough, we will start to believe it. In psychology, this is known as the illusion of truth effect. So every time an information security professional states that “people are the weakest link”, that statement becomes reinforced. If people accept this statement as true, it will create a feeling of powerlessness in them, leading to a lack of motivation and care. This is the opposite of the attitude that we want people to display when it comes to information security!
- Doesn’t foster a feeling of responsibility
Information security is the responsibility of everyone who works at an organisation. It’s not always seen that way but since information is everywhere and most people in modern societies work with information, that’s the way it should be. Information security professionals want people to feel that responsibility but I doubt you can achieve that by approaching people in a way that discharges them of that responsibility (see previous point).
- It might make people hesitant to report incidents
Incidents will happen, no matter how responsible people are and how many measures are in place. The sooner incidents are reported, the sooner they can be dealt with. If they don’t feel responsible, users will be less likely to care and may not report incidents or even worse, they may worry they’ll be blamed for causing an incident. Again, this is the opposite of the attitude we want people to display.
These are mainly the reasons why I stopped approaching people about information security in this way. Instead I try to approach people in a way that makes them feel responsible and hopefully gets them engaged.
How I approach people
The users of an information system are often the first people to notice that something is wrong. Because of that they’re not the weakest link, they’re my front line. They are an integral part of the detection mechanism and as such, very important for the information security process.
Instead of approaching people as the weakest link, I approach them as if they are an important part of information security…because they are! If I want people to feel responsible for information security, I have to take them seriously and approach them in a serious manner.
This approach requires a few things, apart from a different attitude from the information security professional. The main requirements are the following:
- Basic awareness
First and foremost, users need to know what constitutes a security incident, how to recognize them, how to react to them and where and how to report them. For this reason, it’s important to teach awareness and the ability to identify risks. A multifaceted awareness program is a big help here.
- Safe environment to report issues
People need to feel secure when reporting security incidents. They need to know that even if they’ve caused the incident, there will be no negative consequences for them. Unless we are talking gross neglect of due care and due diligence, perhaps. My mantra here is always: we learn from incidents, we don’t punish people for them.
- Motivation to report incidents
Don’t you hate filling out those customer satisfaction surveys or complaint forms and never hear anything back, except maybe a standard reply about how they value your opinion or some such drivel? Well, it’s probably the same for users who take the time to report an incident. If they never hear back about what happened with their incident report, they won’t be as motivated to report something again. So I feel it is vital to let people know what happened with their report. It helps people to stay engaged and feel responsible if something actually happens as a result of their report.
Obviously, there will always be people who won’t feel responsible for information security (or anything else), no matter how you approach them. But in most other cases, I think the above approach will lead to more commitment in the long run.
What do you think?
So what do you think? Is it fine to approach people as if they are the weakest link? Do you think my approach is better? Do you have a different approach? Let me know in the comments below, please!