The Human Factor

employee_trainingOn Monday we discussed the effect that living in a code yellow world has on creating security fatigue.  Peter Herzog, in his blog Dark Matters expanded on this theme recently, giving examples of how teaching your employees how to stay secure in an insecure world may be counter-intuitive to the way we usually accomplish this.

Here are his recommendations:

  • Teach your employees to say “I don’t want to” rather than “I can’t” or “No.”  “I don’t want to” is a more willful and empowering phrase, with just a hint of irrationality that can end a social engineering negotiation.  Ask any two-year old about the power of this one.
  • Using positive reinforcement to encourage secure behavior rather than threats, policy manuals, and the fear of termination.  Instead of revealing the latest security failure, share instances where an employee was alert and reported an attempted exploit.  Your employees will have to be able to trust that reporting issues and even their own blunders can be done without repercussions.
  • On the other hand, for most humans hardly anything is more stressful than socializing.  Many of us aren’t that good it handling the nuances of body language, facial expressions, and social interaction.  Plus a lot of socializing tends to interrupt the concentration and work flow of at least one of the people involved in the social exchange. And the intrusion of text, email, smartphones and Facebook into the workplace can be distracting.  People are more productive in when working alone. Maybe you need to implement a “closed door policy;”  if my door is closed it means I don’t want to be disturbed.  Also, going for a walk clears the cobwebs better than sitting around the break room. This one is a bit counter-intuitive, and may take so creativity to implement without seeming like Buzz Killington.
  • Working in an environment where “extra effort” is discouraged can also be beneficial to security over the long term.  Extra effort usually shows up as extra hours.  Having your employees working endless extra hours to show the are a team player and to impress the boss and get that next raise is another source of stress and fatigue.  Encourage your people to go home at 5:00 and have a life outside the workplace.
  • Happy employees are productive employees, and happiness has been shown to reduce fatigue and absences in a workplace.  When people want to be there, and are invested in the success of the business, they are more likely to be alert, aware, and more likely to avoid falling for phishing emails or social engineering.

So these are Peter’s thought on the human factor of cybersecurity, and while they may seem to just the opposite of many of the things you have been doing with your staff, they bear serious consideration.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.