Before I begin the main part of this post, I'd like you to do an exercise for me: pause and close your eyes but do not think of green monkeys! Concentrate on anything else, but do not think of green monkeys, alright? Good.
One important aspect of developing security policies and security training is shaping user behavior. Users actually need to be told to have good passwords, keep them to themselves, and so forth. I prefer to think of these as behaviors instead of rules. When I teach any security introduction - especially Learning Tree's System and Network Security Introduction Training course - I stress the goal of creating a positive security mindset.
One way I work to help create that mindset in learners in classes or in documents I write is to be as diligent as possible to phrase these behaviors in a positive way:
- Use an appropriately long password
- Log out of the computer when you walk away
- Make sure your desk is clean when you leave it
- Use multi-factor authentication when available
And so on.
The role to property behavior in a security context, it is critical to remove that ambiguity. We need to make sure the learners are doing the correct thing, as opposed to some incorrect thing.
Consider these two statements:
Do not use weak passwords.
Use a password of at least fourteen (14) characters, including digits and upper and lower case letters.
The second statement details a specific, positive behavior and compliance is easy to measure or enforce.
There is also a deeper issue. According to an article in the New York Times, negativity requires more brain processing than positivity.
I am not saying that all "don't" rules or behaviors are wrong. Sometimes turning a rule around to create a positive behavior makes things overly complicated. "Don't insert unknown media such as a USB drive into your computer" is easy to reverse: "Only insert known storage media into your computer". On the other hand, "keep your password private" does not have the power that "do not share your password with anyone whatsoever" does.
Here are a few security rules that are easily turned around into positive ones:
"Don't use any name, social security number, address, or other personal information in your passwords" becomes "always use random passwords".
"Don't use the same password on multiple sites" becomes "use a unique password for each site."
'Don't store sensitive data unencrypted" becomes "Encrypt sensitive data".
Did you think of green monkeys earlier? I thought so. The exercise is not mine but is based on a Jolt activity from Thiagi. He relates that the science of why the activity works is based on the work of Kelly McGonigal, Ph.D. as described in her book, The Willpower Instinct: How Self-Control Works, Why it Matters, and What You Can Do to Get More of It.