Empowering Employees With the Tools to Be Accountable for Cybersecurity in the Officermplaskon
Accountability, which in the security software industry means the need for each employee to have specific security responsibilities, is a much-touted concept in the industry as well as in the blogosphere. For most workers, these responsibilities include fairly simple tasks such as avoiding malicious websites or not downloading files unless absolutely required.
Providing users with the tools and data to improve their personal security could lead to improved organization compliance. There are often strict, measurable rules codified in the security policy given to new employees and used by security administrators to detect potentially dangerous employee behavior. Some security teams go even farther. They assign each user a ‘safety rating’ that takes non-prohibited, but potentially dangerous, employee behaviors into account – for example, the type of websites you visit, the amount of software on your computer, the number and type of email attachments, etc. – and distill this down into a single ‘safety rating’ number.
Here’s the crazy part – only the security team sees these numbers. We ask employees to be personally accountable, but don’t give them the information that measures and tracks their performance.
We’re seeing more and more instances of motivation-by-data in other aspects of our digital lives. My data backup solution, for example, sends me a weekly status update with a big warning if I’m not currently 100% backed up. My fitness tracker sends me a weekly status update with hyperlinks specifically tuned towards areas I’m having issues with (in my case, that’s normally advice on how to get a full 8 hours of sleep). Even our enterprise chat system sends me weekly status emails indicating how much I’ve been interacting with other employees and how that compares to my previous interactions. All of these help me to be accountable, and they have common themes:
- Simple metrics e.g. Your Weekly Safety Score
- Non-jargon language e.g. “You locked your computer 10% more, good job!”
- Personalized hyperlinks to guide my self-education e.g. “What is the risk of opening an email attachment”
- Historical trends e.g. Your Last 10 Safety Scores
A weekly email with these contents (see my example below) would empower users to take responsibility for their own security and guide them towards self-education, which is a big step towards the original vision of user accountability.