First let me start by saying that I am very fortunate. Organisations like ISC2 and the ISF, conference organisers such as InfoSec and publishers such as Information Security Magazine have all over the last 4 years asked me to share my thoughts on what the industry calls “The Human Factor”.
Their interest, highlighted to me the industry’s growing hunger for action on the matter of the human factor, or what I called the “why people do what they do when we have asked them not to” factor. It’s other less creative and sexy name being “compliance”. There, I said it!
I enjoy a challenge, and the human factor was, to me , the proverbial white elephant in the infosec room. Everyone knew it was there. It was huge! It was grey, reflecting there was no black or white answer. It was so huge, so unmoveable or unresolvable that it was the perfect fall back when things went wrong. It was because of this people just turned their back on it. It was a residual risk that they’d accept and, in many cases, they didn’t see whether they could manage more effectively. After all people are people, they’ll do the silliest of things. What can you do about it?
I’ve always been a little bit alternative. As a teenager I adored The Smiths, The Cure, Red Hot Chilli Peppers, Propaganda, U2 , Ultravox, Billy Idol and the list goes on! So, whilst accepting what the status quo currently was back then, I was driven to seek an alternative perspective. But more importantly as an information security professional I believe its my responsibility to not just identify risk but come up with ways to manage or leverage this. The human factor is not different.
I knew that organisations would identify what risks are and are not acceptable, and, that they, would then find controls to manage these risks or the impact should they occur. But that the controls, to be of value, needed to be complied with. There was plenty of evidence, through my own experience, piers anecdotal stories and the industry as a whole that this was not a guarantee.
My approach was to identify the route cause of why people do not always comply with organisational policies and how, using a variety of sciences as well as marketing, change management and other disciplines we could provide opportunities for progress in addressing the human factor.
SABC is the acronym I created for Security Awareness, Behaviour and Culture methodology I have developed. What is awareness and what is the most effective way to achieve this. How do people make decisions that result in positive security behaviours and what influences them? How are cultures formed and shared and what influences them?
It has been a rewarding journey which has, introduced me to many new people, disciplines, often from outside of the security industry, it has reshaped my own approach to information security and thrown an alternative light on what we as professionals do day in day out, sometimes consciously and other times un-consciously.
Over the next 3 years I will be making a full pivot towards sharing my work , building on the conferences and workshops I have been participating in, by introducing a range of online training courses, expanding our SABC workshops outside of the United Kingdom, into Europe and North America, and identifying a range of strategic partners to raise awareness and implement SABC across the world.