This is a male-dominated industry and the audience was full of men, listening to a woman whose introduction sounded distinctly flaky. Fortunately, we remained in our seats, and within minutes I was convinced she had a point.
The speaker, Debi Ashenden, a consultant with Qinetiq, argued that most user-awareness programmes are doomed because they assume that users act in a rational manner. We write security policies, dish them out to new employees during their induction class, and that tends to be it.
In reality, users have all sorts of influences. They know it is wrong to open dodgy email attachments, but might find it hard to resist a message saying "I Love You" if they are feeling lonely one day. Acting securely might also carry connotations of being a nerd or a goody-goody, and nobody likes to be seen as the office creep. Users could also view security as someone else's responsibility, especially if they are on what they regard as low wages and feeling unappreciated.
As Ashenden said, the information security department can often be seen as arrogant and threatening, whose approach is to "invite offenders in for a private chat". That might instill fear, but it hardly engenders loyalty. It could even provoke a subversive reaction.
This should remind us that security is always a compromise, and involves making a series of trade-offs – summarised neatly by a later speaker, Jean-Noel Ezingeard of Henley Management College,
as: procedural controls as opposed to creativity (prescriptive procedures tend to stifle creativity); top-down control as opposed to a culture of trust; exposure rather than ease of doing business (for example, internet links to business partners); insourcing against outsourcing (greater reliance on packaged software and services); and, finally, reputation over the bottom line (security can cost a lot, but can save corporate reputation; too much security might inhibit the business and damage reputation).
When it came to questions and answers, the audience had warmed to the theme. Several delegates made the point that outsourcing (especially offshore outsourcing), while economically attractive, can have a disastrous effect on company morale. As one said, employees will take a responsible attitude if they feel their company is looking after their interests. But if you think your job is going to be sacrificed to save money, then goodwill soon evaporates.
Security awareness programmes therefore need to be a lot more subtle than the traditional quick induction chat and a copy of the acceptable usage policy. In other words, we're all going to have to be a lot more pink and fluffy from now on.
Ron Condon is editor in chief of SC Magazine