I just read the following story regarding IT security:

“The weakest security link: Users.”

issued the results of a survey that found–you guessed it-end-users,

and “their unwillingness to follow good security practices is the

primary barrier to improving protection against malicious code.”


Clearly this news comes as no surprise to most of

you that are practicing IT professionals. The biggest question

surrounding this issue is not that users are the weakest link, but how

to deal with it. Definitely a tough issue to deal with or we would have

solved it already right?

Like many complex problems, the solution is

multifaceted and includes technological and nontechnological

components. Our first steps in combating user unwillingness to follow

security practices fall in the nontech side and involve

changing/shaping behavior.

I. Rules and Regulations:

In order to move noncompliance from just an organizational social

phenomenon to one of actual consequence, we have to have our security

practices codified in the form of “official policy and

procedure”–preferably in the organizational policies and procedure,

not just departmental rules and regulations.

By doing so, we hopefully are conveying to the

organization that we are serious about security and that violations do

have consequences. However, this is easier said than done. It involves

convincing senior management that information systems security is

important enough to discipline employees over and more importantly,

that the rules are important enough to enforce. It’s possible to write

volumes on just this aspect, but let it suffice to say that this step

is not the place to skimp on research and details and the more well

thought out and articulated the policies the better. Also, your

governance body can play a huge role in the formulation of policy.

II. Training: It is not enough to get the rules on paper; they must be articulated in such a fashion as to let employees know why security

practices are important as well as the consequences to both them AND

the organization of not following them. A great place to start is by

catching the employee as they enter the organization. They have yet to

be indoctrinated into bad habits by coworkers and tend to be more open

to organizational messages than they are later on. So have someone from

IT be part of new employee orientation or make sure that whoever is

charged with the orientation can deliver your message in an effective


We can’t forget current employees in our training.

We need to find ways to train existing users on the importance of good

security practices. Whether this is through HR-sponsored internal

training, brown bag lunch and learns, or some other method, the

training needs to be made available frequently and the content kept


III. Communication:

This is your propaganda campaign. You are running one aren’t you? Just

like in WWII with “Loose Lips, Sink Ships,” you need to get the message

out in a variety of ways. Come up with a slogan and plaster it wherever

and whenever you can. Start up messages, e-mails, on the company

intranet, e-mail signature lines, posters, mouse pads, contests, the

limit is your imagination. Keep the messages regarding good security

practices in front of employees as much as possible. It will begin to

sink in and soon peer pressure among employees will aid in policing

your policies.

One idea is to publicize compliance by having a

very visible scorecard on the intranet that shows violations by

department or by showing how many days have passed since a violation in

a particular area – such as: “HR has been 128 days without a security

violation.” Of course this has to be coupled with random audits by

staff who can use minor infractions as learning episodes by issuing

“warnings” and of course, keeping records. This can be done in a way

that you are taken seriously without getting the reputation of the


IV. Enforcement:

Assuming you have clear rules, regulations and consequences created as

part of step I, you must be proactive and consistent with enforcement.

In many organizations this means having those difficult battles with

other managers that get escalated to senior management because they

(the other manager/s) have a “star” performer who feels they can ignore

rules and regs that inconvenience them. You must be prepared to invest

the time in these seemingly “minor” infractions because of the

precedent they set, and the message they convey. Major violations are

usually a breeze and few managers will protest the enforcement of those

rules and regulations on any employee. For example, it’s hard to defend

anyone for viewing porn in the office, and it’s usually a one-way

ticket out of the organization.

As mentioned above, there is an ever increasing

array of technology-based tools that aid in enforcing–or better

yet–taking most of the security practices out of the users’ hands.

From firewalls, antivirus software, Web filtering and tracking, to

keystroke logging, spam filters, and routing rules, there are seemingly

dozens of new tools being created everyday. I have written about some

of these in previous blogs and articles, and you will find that, in

general, I prefer tools that prevent infractions rather than just

report infractions.

None of the components listed above can work alone

to solve the problem of users who are unwilling to follow security

practices. Together though, they can go a long way in reducing security

vulnerability due to our users.

Keep up with the issues and challenges that

uniquely affect public-sector IT with TechRepublic’s free Government IT

newsletter, delivered each Tuesday. Automatically sign up today!