Written By: Rob Hatke ~
It’s been a while since I wrote my last blog. Life simply has got in the way (or that is the excuse I tell myself). In reality, the problem has to do with lack of resources (time) and motivation (do I do this or have fun/complete HoneyDos).
In the last blog article, recall that I stated that the notion of people being the weakest link was misguided. Information Security is still mostly a people problem (yes, there is technology and processes, but who creates those?). If it is a security problem, we need to look at human performance. This blog will introduce you to the Behavior Engineer Model created by Thomas Gilbert in the 1970s.
Gilbert’s model is broken down to two (2) areas: Environmental and Individual (Behavior). Each are further broken down into Information, Instrumentation and Motivation.
In the original model, the Environment accounts for 75% of the barriers to human performance and the Individual accounts for 25%.
In this blog, I will discussion Motives (Individual - Motivation). Why would I pick the smallest percentage category to discuss first? I do this for two reasons: motivation was one of the reasons I have not written a blog in several months, and the problems people commonly attribute to failures (people are the weakest link?) in Information Security are not really what they think. In future blogs, I will relate the remaining five (5) areas to Information Security.
Let’s dive into motivation. While the 6% is small, an updated version of the model shows that individual motivation has more leverage than the other Individual attributes.
As seen by my example, my personal life got in the way of business. Bringing that into the corporate context, think of the end user. Do you think Information Security is #1 on their minds? Did it even break the top 20? The first step is realizing that most workers are not motivated to care about or do anything relating to Information Security. Yes, I know you may “think” this..but have you really accepted it? So what do we do to motivate end users? Start with designing solutions (and use other categories of the behavior engineering model) that allow them to perform their work seamlessly. Another thing you can do is align with what is important to the end user. This typically brings it back to personal life. Have you showed them how this can help both the company and themselves?
I hope this blog article has caused you to “think outside the security box.” Stay tuned for future blogs on Behavior Engineering.