Britain's top cop, Metropolitan police commisioner Sir Bernard Hogan-Howe, stuck his head into a hornet’s nest recently when he suggested banks should stop refunding fraud victims so as not to encourage bad user behaviour.
Hogan-Howe believes making the crime hurt would provide an incentive for bank customers to use strong passwords, keep their anti-viruses up to date, and generally be more security-minded.
His suggestion was shot down almost immediately by IT experts such as cryptographer Ross Anderson at the University of Cambridge as “victim blaming”.
Anderson is of course correct: bank customers have little or no control over the technology they use or the servers they connect to over the internet. Malware keeps evolving and will often bypass even the best defences.
At the same time, however, there are situations where you can modify user behaviour for the better by letting people face the consequences of their actions - but these need a carrot and stick approach to work.
As an example, over the past few years the rural Northland, NZ council faced having to deal with a rash of bushfires set by farmers burning rubbish rather than taking it to the tip.
In the dry season, the damage caused by the fires could be substantial and lives were frequently put at risk because the rural firefighters weren’t able to get to sites fast enough.
The council’s solution was two-pronged: they got three firefighting helicopters for the area so they could react quickly.
Then, if the fire was due to carelessness, the council would charge $500 an hour for each helicopter and make sure the culprit paid up.
That has turned out to be a successful solution - the number of fires dropped off when word got out that you'd pay for fires you started. At the same time, the fast firefighting response means damage never gets out of hand.
It might be tempting to dock the pay for users who click on everything on their computers with gay abandon, but that would rapidly backfire on even the most hardcore IT administrators - and it would scare people off using technology, which is not what you want.
Instead, user education and policies that are reviewed and updated to fit new threats is crucial. It’s a hearts and minds battle that can be won with a little planning.
When things go wrong, and malware or social engineering strikes, you’ll need a rapid response to quickly limit the damage that could happen. Again, policies need to be in place that let you act fast and isolate incidents, and encourage users to report them - it’s better to have one false report too many than miss out on a single real one.
Depending on how the attack took place, having some form of consequences for users who breached policies isn’t a bad idea.
A post-mortem of the attack, held with those who were affected, to ensure that they understand what happened and how they can avoid a repeat of the situation is one way to do it.
You want to make sure that your users know the lay of the land, what to do, and feel empowered by the security solutions and policies in place protect them and the technology for the business.
If despite all the above users don’t feel incentivised enough to be careful out there on the wild and woolly internet, go with Hogan-Howe's suggestion and fine them. It’s the only thing they’ll understand