Wanna motivate staff to be more secure? Don't bother bribing 'em
Also, don't get the BOFH to publicly smack them with a LART
Usenix Enigma It's frustrating getting users to keep information and systems secure on a daily basis. However, don't try any smart gimmicks – particularly offering wedges of cash or other prizes for good behavior.
It doesn't work. Quite the opposite, it can make things worse.
Paying out a bonus to those who make few or zero security mistakes ultimately demotivates staff, Masha Sedova, cofounder of Elevate security, told Usenix's Enigma 2018 security conference in California on Tuesday.
This is, in part, because once an incentive – especially a financial one – is dangled as a carrot, it's usually never substantial enough to warrant the extra effort required to follow security best practices. Thus, most people don't bother at all to meet the standard, reducing overall security.
Another, er, motivational technique – naming and shaming of employees by the BOFH – doesn’t work either. Sedova said this massively demotivates staff. Instead, IT security teams need to be more positive with users. And by positive, she meant that workers should be praised for good behavior, and be given better tools to tackle threats to the network.
Sedova said that research, and her experience, shows that around 20 per cent of the workforce are very motivated to secure their systems. Around 70 per cent are ambivalent about it and will use security if it’s easy enough, but 10 per cent won’t touch security at all – and in the latter case, naming and shaming may be the only option.
During the Q&A after Sedova's talk, a Facebook engineer in the audience said that the web giant had, as a trial, deployed a button in its internal email system that staffers could press to easily report any message thought to be phishing or packed with malware.
On one level, it worked: the security team saw a 350 per cent increase in dodgy email reports. The problem is most of them were false positives, creating more work for the network defenders. That’s an issue, Sedova said, but the alternative is that too little gets reported.
Ultimately, the right tools and the right level of encouragement and praise is needed to boost corporate computer security, not public reprimands, she said.
Two-factor authentication is seen by some as a bit of a gimmick, a faff, or a tool for the paranoid, even though it's pretty good at stopping unauthorized access to work and personal accounts.
With the help of Facebook, Sauvik Das, an assistant professor of interactive computing at Georgia Tech in the USA, and his team polled a random sample of 1.5 million FB users to find how these netizens preferred to secure their profiles on the social network.
Das presented his findings in a separate Enigma conference session, and revealed that a popular alternative to traditional two-factor authentication is Facebook's trusted contacts functionality. This allows peeps to choose three to five close friends who can green-light stuff like password reset requests. For instance, if someone can't login to the website – whether because they forgot their password or their account is being hijacked – their trusted mates can get together and confirm the user is the legit account owner.
The research also revealed that Facebook users are more concerned about the security of their friends and family than they are about their own accounts. This means it should be possible to make security awareness spread in a viral way. "Reminding family about security techniques can be very effective in changing behavior," Das said. "But it has limitations – warn people too often and you're seen as a nag." ®