From Weakest Link to Security Hero - Transforming Staff Security Behavior - Cyber MiSC

- the best outcome is 'security mindfulness' - "an attitude into which is woven preoccupation with failure, reluctance to simplify interpretations, sensitivity to operations, commitment to resilience and deference to expertise" - this is not achieved through punishments and compliance - *at best*, hygiene factors just don't piss people off - it is inefficient to try to fit the human to the task - unless your want your humans to only be able to do the task - is the day-to-day task you want people to be doing...memorisation? - the physical and social context in which the humans will be acting has some importance: the paper notes a great example, which is: putting in a password on your laptop in your air-conditioned office is quite different to trying to type it when it's -3 and you're on your phone - security issues are people issues and people are so part of a social system, a system both corporate and national, that it's impossible to take them out and impossible to take an action that's not within that context - so all change professionals must understand their context - it's handy if your context comes with a high security mindset - ah, and what if your leaders bring in people with a low security mindset...? - Schein (2004) argues that there are three levels of organisational culture, each of which is evident to an outside observer: - artefacts and behaviours - espoused values - underlying assumptions - Schein (1996) argues separately that there are eight 'anchors' in a corporate culture: - autonomy and independence - security and stability - technical-functional competence - general managerial competence - entrepreneurial creativity - service or dedication to a cause - pure challenge - lifestyle - Furnham (2005) says that organisational change is rarely successful - Haidt (2012) argues that there are 6 moral dimensions: - care/harm - fairness/cheating - liberty/oppression - loyalty/betrayal - authority/subversion - sanctity/degradation - people won't feel strongly about all of these, but knowing which people feel strongly about will help craft messages that reach them - I wonder which of these moral dimensions most security people align most strongly to?