Another identikit hotel room – I know the layout with my eyes shut. The desk will be five steps to the right. The TV remote control will be on the pillow and there will be 16 channels to watch – none of them interesting. In the bathroom there will be a hair-dryer hovering menacingly over the sink, a small bar of lovingly wrapped triple milled soap (whatever that means) and, curiously, a shoe-horn.
And tomorrow – another conference – where I am expected to offer new insight into security awareness. Hasn’t it all been done by now? After 20 or so years of telling people not to share their passwords, can there really be anything new to say? And why do they still do it? I really don’t know what I am going to say.
Still at least the restaurant last night was good. I’d never eaten kangaroo steak before – very nice and very tender.
And in the night it came to me – it saved my presentation. It was the kangaroo that did it and here is that story…
The story of the suicidal kangaroo
Researchers from an Australian University have been studying the behaviour of the Western Grey Kangaroo (Macropus fuliginosus) and, in particular, road-related deaths within that species.
Road deaths are high amongst kangaroos as they often attempt to cross busy roads near to major cities. They also pose a hazard to drivers as hitting a 50kg animal can result in major damage to cars. By studying the behaviour of the kangaroos, researchers hope to reduce traffic accidents and deaths amongst the animals.
Over a twelve month period researchers have noted that kangaroos can acquire a learned behaviour at road junctions.
Typically a younger kangaroo (Joey) will approach a road and simply hop across it, with no regard for traffic. The incidence of road death among Joeys is high.
However, more mature kangaroos exhibit a different behaviour and will hop up to the edge of a road, stop and look both ways for traffic. If there is traffic coming they will wait for it to pass and then hop across the empty road. The incidence of road death among the more mature kangaroos is low.
Of the more mature kangaroos there is about 20% of the population that exhibit a different behaviour. These particular kangaroos will hop up to the edge of a road, stop and look both ways for traffic. If traffic is coming then they will hop across the road regardless. Needless to say that, amongst this 20% of the population, road death is common.
Researchers have been unable to explain why these 20% of mature kangaroos show this behaviour. The animals are clearly aware that roads and cars are dangerous, but still continue to cross when there is traffic coming. Researchers have termed this particular behaviour as ‘suicidal kangaroo syndrome’.
So how is the story relevant to information security awareness? And how can it help awareness programmes to be more successful?
The story merely illustrates that of a given population, there is likely to be a significant percentage who will understand that certain behaviour is dangerous (or inappropriate), but will still do it anyway (the suicidal kangaroo syndrome).
If you consider the population (your employees) amongst whom you are trying to increase awareness (and change behaviour) there is likely to be a significant percentage who will understand your message and understand that certain behaviour is inappropriate, but will continue (or even start) to exhibit that inappropriate behaviour.
In these cases this percentage of employees will have acquired the awareness, but will not have made the link to a change in behaviour. This particular population are resistant to behaviour change and no amount of training, action or encouragement will make them change their behaviour. These people are the suicidal kangaroos in your organisation.
In order to ensure that the limited budget within your awareness programme is spent wisely you should:
1 – Identify the suicidal kangaroos within your organisation.
Typically resistance to behaviour change is related to a particular culture, so you may find that a particular department or function (where cultural norms are distinct to that function) may be resistant to behaviour change. Experience from running previous awareness programmes may also give insight into where the programmes have had least success.
2 – Avoid wasting your money on suicidal kangaroos
You will never change the behaviour of suicidal kangaroos. You do need to (of course) make them aware of what good behaviour is, but for this population reduce any investment in running awareness programmes to a bare minimum.
3 – Consider the risk of suicidal kangaroos
If the identified population have no access to valuable or confidential information then the risk of causing harm may be lower than if they regularly deal with high value information. The approach taken in the next step should be within this context.
4 – Implement compensating controls for suicidal kangaroos
For the identified population for which you are likely to see a high incidence of inappropriate behaviour, you should consider adopting compensating (or stronger) controls specifically for this population, in the context of the harm that they could cause.
Does it work? Well it saved my presentation – it is easy to engage people in the story of the kangaroos, and it is memorable. This story has been told around the world and it may be spurious or even widely inaccurate, but it does make the point, and the point is this – that awareness and behaviour are not the same thing. To change behaviour is much much harder than raising awareness – just ask a kangaroo.
Original Story by Robert Hadfield and Penned by Andy Jones
