While consequences have a negative connotation, consequences contribute to 80% of the success or failure of Security Awareness programs.
When I ask CSOs what consequences there are for security-related behaviors within their organizations, they almost balk at the idea. They assume that I mean punishments, and that they rarely have the authority to strictly enforce any punishments. I have to point out to them that there are consequences for all actions; good, bad or neutral.
Clearly, punishment is a negative consequence. It can range from being called out to being fired. Of course, sometimes the offender creates their own negative consequences by causing harm to themselves. Of course, how severe the punishments are impacts the usefulness. Frequently when people bypass security measures, they are rewarded with fewer impediments to do their jobs. Sometimes the rewards are part of the organization's security program. More frequently, whether or not a person follows a security policy has no impact.
One of the most effective Security Awareness consequences that I experienced was when I began work at a government contractor many years ago. My first day on the job, I forgot to lock up my burn bag. A burn bag is literally a bag where you are supposed to place any classified materials you want to dispose of. Before you left the office for the day, you were supposed to place your burn bag in a locked drawer or similar storage. One day, I apparently left my burn bag out. The next morning, I received a call from the physical security manager, who wanted me to come to his office.
I walked in and he held up my burn bag and asked if I was missing anything that morning. He went on to tell me that the security guards do rounds, and they confiscate any vulnerable information. I said, "Thanks," and assured him it would never happen again. And it didn't. The consequence of being called into the his office was more than enough for me to remember to lock up my burn bag in the future.
Also a contributing factor to consequence is the probability that there will be a consequence. For example, even if there are clearly negative consequences, if the likelihood of being punished is negligible, it negates any negative consequence. If you have rewards in place, but the rewards are not frequently distributed, then they are moot. Consequences are only as useful as their consistency. In my case, I knew that the guards did regular rounds, so the probability of negative consequences was high.
The ABCs of Awareness
There are the ABCs of behavioral science; specifically antecedents, behaviors, and consequences. Antecedents are precursors to behaviors. In Security Awareness, antecedents are typically information. It can take the form of briefings, posters, newsletters, activities, or whatever else is in a traditional awareness program.
Sign up for CIO Asia eNewsletters.