I’m sure we have all heard about the Marshmallow Theory. In the theory, a child was offered a choice between one marshmallow provided immediately or two marshmallows, if they waited for a brief period, approximately 20 minutes.
Researchers found that children who were able to wait longer for the preferred rewards tended to have better life outcomes. They could see the bigger picture and identify that they would achieve more if they were willing to wait. Trying for the quick rewards often didn’t result in the best outcome.
Now, let’s extrapolate this out to business, or maybe even corporate behaviour.
Staff are often internally motivated to take short cuts, for short term gain, even if the policies and procedures are designed to provide better efficiencies and a safer staff work environment. Identifying that they need to achieve certain results, people will often find ways around corporate mechanisms to achieve their desired immediate outcome.
Many organisations are themselves to blame. Attempting to address a simple compliance tick, rather than correctly addressing the issue. That will often lead to organisations trying to find short cuts to achieve their immediate needs. Ticking a compliance requirement doesn’t necessarily address the real problem.
Take security awareness for example. Many organisations try to address their audit, NIST or ISO27001 compliance requirements by just taking on some simple training and possibly some email phishing. They don’t address the entire picture.
Humans are funny creatures. They are prone to make mistakes, even if their intentions are honourable. Humans are influenced by their peers, their environment, the corporate culture, daily events, their attitude as well as what they understand.
A person may come to work one day feeling great, not under work pressure, or other external circumstances and perform perfectly. Take that same person with extreme work pressures, family issues, financial issues or maybe just in a bad mood, and you will see a totally different behaviour pattern. Mistakes can be made easily as their focus isn’t on security or the impact that their behaviour will have upon the organisation.
Taking the easy road to addressing your security awareness needs doesn’t consider all these factors, nor does it enable an organisation to accurately measure the success of the program.
Addressing the complete spectrum of humans with regards to their behaviour, attitude, cultural impact, as well as their understanding of the correct way to address security, is the only way to truly measure and address security awareness.
Don’t be the child looking for the quick reward. Taking time and undertaking a proper program to address the complete spectrum of human components will provide a successful program with true measurement of the success of your program.