Photo Credit: timsamoff via Compfight cc
There are many ways to effect change human behaviour, however underneath they can boil down to two broad enforcement factors;
the subject can either fear the consequence of the non-compliance or; the subject themselves can not want to commit the non-compliance.
Lets take this into an InfoSec context. Imagine if you could change users compliance to policies from being actively enforced to self-enforcing – that is users do not want to engage in the prohibited behaviour themselves. It sounds like nirvana in in some respects it is but it is possible in some cases.
In the UK the laws governing the fitting of seatbelt came into effect in the early 60’s, though laws to make the wearing of seat belts didn’t come into effect till the early 1980’s. they were brought in with the belief that they would reduce the numbers of fatalities and injuries caused by car accidents. Initial messaging focused on the risk to the person themselves i.e. one message at the time was “would you like your face smashed in” focusing purely on the personal danger of not wearing seatbelts. Similar messaging was brought in to cover driving whist under the influence of alcohol, that of personal risk “Don’t drive and drink. You’re asking to get caught‟. These messages, backed by appropriate legislation and punishment were effective to some degree.
However the real change came when the messaging was changed to move from personal risk to that of societal risk. For example from “would you like your face smashed in” to “belt up in the back – for everyone’s sake” i.e. changing the negative consequences from the person themselves to that of protecting the person in the front of the car. The user of the car then stops fearing the enforcement but starts to make the conscious decision that they do not want to carry out the behaviour.
A similar approach can be taken in compliance with policies, in this you broadly have 2 strategies;
The employee fears HR action so they comply, the employee actively doesn’t want to break the policy.
You might be wondering how we can affect the second strategy in policy compliance, and in some areas it is quite possible. Password sharing can often be an issue in companies particularly when the employee does not appreciate the dangers of sharing their password as the risk is very high level for them. However by changing what that password has access to you can achieve this level of self-enforcing compliance. One way this can be done is by connecting the data that the employee has a lower concern for to data that the employee has a higher concern for.
For example by using the same login controlling access to the employees HR data as the shared login and then messaging that by sharing the one login you are also sharing your salary details sudden increases in compliance can be achieved. This is the same strategy as adopted by road safety campaigners, rather than focusing on the threat of enforcement you focus on the consequence. Threats of enforcement only go so far and depend on the employee actively fearing the enforcement, far better to let the users make the choice themselves to comply. It also adds a certain element of social control, suddenly asking for a password from a colleague becomes an unthinkable act the same as asking a colleague for their salary details (note that this will not work in all cultures). Assuming your staff do not want to freely share their HR data with other employees there is a now an element of social control.
Thus by focusing less on the threat of enforcement but on the underlying consequences of their actions, for some users at least, you will make the compliance a far more personal message and therefore more likely to be complied with.
