User Behavior: The glass is half full

User behavior and awareness is an area that always keeps Security professionals up at night because, at some level, they have to trust users to respond with proper behavior.  As such, a recent survey released by the Ponemon Institute showing that user behavior has worsened over the past two years is likely to cause consternation in the Security community.  Although IREC has found that some behaviors have indeed deteriorated, Security professionals should take some comfort that IREC’s research shows that overall behavior related to security has remained fairly constant in the past two years, and some behaviors have actually improved.

As some readers of this blog will know, IREC has been surveying end users regarding their behavior for three years now. Over 100,000 users have taken our survey since its inception, which includes questions on 12 basic security behaviors ranging from not sharing passwords to not discussing sensitive information in public.  IREC has found average behavior to be fairly stable across the three years of the survey.  As the heavy line in the chart shows, average behavior improved by about 1% in each of 2008 and 2009—a very slight deviation from past survey rounds.  This pattern repeats in most of the behaviors surveyed: secure behavior in nine of the 12 behaviors has moved by less than 5% across the three years.

2009-06-16 IREC Blog Post chart

That said, there will be a couple of outliers in any sample, and the IREC End-User Awareness Survey behaviors are no exception.  However, whilst Ponemon focuses on the behaviors that have gotten worse, the IREC sample shows a few behaviors that move in each direction.  As you can see in the chart, the percentage of users physically locking up their laptops has increased 20% since 2007—quite a positive development.  On the other hand, the percentage of users e-locking their workstations when they step away has fallen, albeit within the 5% band mentioned above.  Perhaps the greatest mystery among the surveyed behaviors is avoiding writing down passwords.  This behavior saw a 5% increase in 2008, but then a sharp fall in early 2009; as the only behavior to show such a stark reversal, it will be an area for further study as IREC rolls out future survey rounds.

Perhaps more interestingly, organizations that have taken part in our survey year over year tend to show a steady improvement in secure behavior. Presumably these organizations have been focusing on targeting non-compliant users and the reasons they don’t comply  to improve their users’ behavior.

Measuring user behavior is a challenge, and any sample is likely to include some noise in either direction.  For a clear picture, it is important to have a large sample of users and ensure that a range of behaviors is included to reduce further the chance of spurious conclusions based on noise.  The fuller picture we have obtained from this approach shows that CISOs should focus on behaviors that show a particular decline or are especially crucial to their specific business.  Moreover, since discerning which behaviors are most risky can be a challenge, CISOs are also well-advised to design their awareness campaigns around ensuring that their users both know security policy and perceive the risks with appropriate severity, as these are the two key drivers of user behavior over which Security has the most sway.

Explore posts in the same categories: Awareness

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: