Do or Don't: It Makes a Difference to the Cyber Security Mindset

2019-10-07

Before I begin the main part of this post, I'd like you to do an exercise for me: pause and close your eyes but do not think of green monkeys! Concentrate on anything else, but do not think of green monkeys, alright? Good.

One important aspect of developing security policies and security training is shaping user behavior. Users actually need to be told to have good passwords, keep them to themselves, and so forth. I prefer to think of these as behaviors instead of rules. When I teach any security introduction - especially Learning Tree's System and Network Security Introduction Training course - I stress the goal of creating a positive security mindset.

One way I work to help create that mindset in learners in classes or in documents I write is to be as diligent as possible to phrase these behaviors in a positive way:

Use an appropriately long password

Log out of the computer when you walk away

Make sure your desk is clean when you leave it

Use multi-factor authentication when available

And so on.

The role to property behavior in a security context, it is critical to remove that ambiguity. We need to make sure the learners are doing the correct thing, as opposed to some incorrect thing.

Consider these two statements:

Do not use weak passwords.

vs.

Use a password of at least fourteen (14) characters, including digits and upper and lower case letters.

The second statement details a specific, positive behavior and compliance is easy to measure or enforce.

There is also a deeper issue. According to an article in the New York Times, negativity requires more brain processing than positivity.

I am not saying that all "don't" rules or behaviors are wrong. Sometimes turning a rule around to create a positive behavior makes things overly complicated. "Don't insert unknown media such as a USB drive into your computer" is easy to reverse: "Only insert known storage media into your computer". On the other hand, "keep your password private" does not have the power that "do not share your password with anyone whatsoever" does.

Here are a few security rules that are easily turned around into positive ones:

"Don't use any name, social security number, address, or other personal information in your passwords" becomes "always use random passwords".

"Don't use the same password on multiple sites" becomes "use a unique password for each site."

'Don't store sensitive data unencrypted" becomes "Encrypt sensitive data".

Did you think of green monkeys earlier? I thought so. The exercise is not mine but is based on a Jolt activity from Thiagi. He relates that the science of why the activity works is based on the work of Kelly McGonigal, Ph.D. as described in her book, The Willpower Instinct: How Self-Control Works, Why it Matters, and What You Can Do to Get More of It.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.