10 Tips to Embed Positive Information Security Behaviors in Employees

For decades, organizations have spent millions attempting to educate employees on security awareness. The results have been marginal, at best, according to the Information Security Forum (ISF) a nonprofit association that researches and analyzes security and risk management issues.

“A really small percentage of organizations are able to say they’ve reached a heightened level of security awareness or positive behaviors that they’re really striving for,” says Steve Durbin, global vice president of ISF. “If what we’re currently doing from an awareness standpoint isn’t working, what do we need to do to be more effective in this space?”

The answer, he says, is to embed positive security behaviors into your business processes. Here are 10 principles that can help.

Seek to promote and value behaviors that facilitate people playing an essential role in strengthening organizational resilience. It’s not enough to communicate what they should do, you need to help them understand why the behavior is important and help them feel ownership so they can recognize key moments and make the right decisions. This may require tailoring the message for the particular department or even role that you’re targeting.

Finally, you need to hold people accountable for their security behaviors. That means rewarding good behaviors and addressing unacceptable behaviors constructively — in the same way you would any other substandard performance.

“It’s about consistency,” Durbin says. “You have to try to do away with ignorance around all of this. It’s about getting across what good information security behavior looks like. If you are deliberately going to break these rules as opposed to making an honest mistake, there are consequences and those are embedded in our HR policies. But if someone makes an honest mistake, you want them to come forward. Create a positive environment where people understand that it happens.”