Fostering security awareness
A modern fairy tale about a frog/prince and his wicked witchBauke Jonkmans – VMB security & solutions
Once upon a time…
• You thought your employees are stupid
• … and they thought the same about you
• The just didn’t seem to get the point• Security, safety and integrity where
dirty words• Security expenses where high• Return on Security Investment was
low
The wicked witch
The wicked witch called ignorance took over your company!
• Did you ever had unexplainable stock differences?
• Do you feel the difference amongst personnel between “knowing” and “doing”?
• Do you think security is the same as securing from risks?
When the spell is over your company
Knowing• Is enough, when nothing
seems to change• Is important, so tells the
management• Everybody knows about
security or safety• Why bother, when things
seem ok?
Doing• Is no priority, if the spell
does not hit me• Comes after the other
employee does• Means earning? What is in
it for me?!• Is the thing you do after you
have seen a good example
Why don’t you….
• Influences on performance– Environmental– Skills, knowledge and information– Motivation, attitudes and incentives
– “Employees don’t close the main entrance in night time”
– “My staff seems to think a fire extinguisher is the same as a wardrobe”
– “The things they dó talk about are confidential”
Learn to know the wicked witch
10 steps to become their prince
• Make your problem their problem– What do they feel from security/integrity breaches• Make them feel (the right way)• Create positive examples from outside the company• Inform about earlier negative examples from inside• Extrapolate consequences to the bottom line
e.g.: what does the cafeteria lady feel from fraud?
Return on Security Investment
Awareness program
• Bottom-line: – People value most in creating safety or security.
• Forming an awareness program:– Requirements driven– Means driven– Needs driven
– Motivational driven
Motivational driven
• Don’t– Think why people should be aware
• But– Be aware of why people are motivated (to act safe
and/or secure)
Tailor your spell and TEAM up
People will not do… So we do…What they don’t know they should do or don’t know how to
Training
What they don’t think makes sense EducationWhat they never think of doing AwarenessWhat they have no reason to Motivation
Awareness Ladder
• Ownership• Participation• Compliance• Apathy• Avoidance• Subversion
Don’t count knots, count steps!
Best Practices
– Interactive: e.g. reactive video or input formed– Fun: like card games or company
scouting game– Humor: is the best way to disable the wicked
witch– Follow-up: e.g. create an action by employees
within 48 hours after training– Example: be an example and let employees
make their peers example
Equality
• Make a list– When and how to praise persons– When and how to correct persons– When and how to sanction persons
• Actions must be– Equal– To be expected– Limited
Wisdom from the frog/prince
• Spells don’t go easy, awareness takes at least 3 months but sometimes even years
• Make your magic want redundant and specific• Preach what you teach• Make awareness solid, e.g. house rules,
mission statement and sanction policy.
Bauke JonkmansSecurity Consultant / Interim Security manager
[email protected](+31)(0)650508674