Open in app

Sign in

Write

Sign in

Four Ways That You Can Respond When Someone Causes a Breach

Jordan M. Schroeder
The Startup
Published in
7 min readSep 2, 2019

--

I’ve been very interested in behavioural science since I was a Department Head of a college. It’s never enough to just know what to teach; that part is surprisingly easy. It more about getting what you want into the learner’s head, and that part is surprisingly difficult to accomplish consistently over a diverse population.

The same challenge is experienced by management and felt even more keenly by the cybersecurity department when they want employees to adopt a secure or compliant way of operating. How do you address failure or non-compliance?

This challenge comes up quite often when I’m drafting information security policies, and if management does not bring it up themselves, I make sure to raise it. It also comes up when the organisation talks about cybersecurity training and phishing simulations. It is important to know how to do things properly, but what happens when someone doesn’t?

How the organisation, management, and the cybersecurity department devise a response to failure and non-compliance is perhaps more important than the compliant behaviours themselves because the response is a core ingredient to security culture. And culture overrides whatever is written in any policy, no matter how hard you try.

There are four categories of response that you can take. Management and leadership need to be very clear and deliberate in their choice of response, even if that response is contrary to how they might want to react when a major breach occurs. How managers respond in the moment determines the culture.

Here are the 4 ways that you and your teams can respond when someone causes a breach:
* Positive reinforcement: adding favourable factors
* Negative reinforcement: removing adverse factors
* Positive punishment: adding adverse factors
* Negative punishment: removing favourable factors
(Positive = adding something. Negative = removing something)

Reinforcement

A reinforcement is the introduction of a favourable condition that will make a desired behaviour more likely to happen, continue or strengthen in the future.
(Mowrer OH. Learning Theory and Behavior. John Wiley & Sons Inc; 1960. doi:10.1037/10802–000)

* Positive reinforcement: adding favourable factors
* Negative reinforcement: removing adverse factors
(Positive = adding something. Negative = removing something)

Positive reinforcement is traditionally understood as a “reward”. When the correct behaviour is shown, then the reward is supplied.

Spoiler alert: studies show that positive reinforcement is more effective in changing behaviours than anything else. That means that you should be looking for ways to positively reinforce the actions the person took during the breach that you want to ensure they do again. Did they report the breach? Did they report quickly and using the correct procedures? Did they assist the response teams? Did they keep their heads while things went wrong? These are all things to focus on and be deliberate in reinforcing.

Negative reinforcement is tricky and easy to get wrong, but it is also a form of “reward”. I like to think of it as a “rescue”. Some people introduce adverse factors and then remove them when the person does something right. But that is not negative reinforcement, that’s an example of positive punishment, which we will see below.

Rescuing the person from a problem or an increase in workload when they have done things right is an example of negative reinforcement. Breach response teams and even the entire cybersecurity department can be crafted in such a way so that they are seen as a “rescue” and a help to employees when a breach occurs.

In both cases of positive and negative reinforcement, a clear link between the reinforcement and the desired behaviour needs to be made in the employees’ minds at the time else there will not be an impact on behaviour.

Punishment

A punishment is the introduction of an adverse condition to make an undesired behaviour less likely to happen, continue or strengthen in the future.
(Mowrer OH. Learning Theory and Behavior. John Wiley & Sons Inc; 1960. doi:10.1037/10802–000)

The problem is that there is no guarantee that someone will seek out the desired behaviour when they want to avoid punishment. Their focus will be on avoiding punishment, not on compliance.

* Positive punishment: adding adverse factors
* Negative punishment: removing favourable factors
(Positive = adding something. Negative = removing something)

Positive punishment can manifest in a variety of ways: increased training, “naming and shaming”, serious chats with their managers, even so far as suspension or being fired. Positive punishments have inherently clear links to the undesired behaviour, and they require no expertise to deliver. Positive punishment, quite frankly, is far easier than any other type of response and tends to be the first and only response people think about. The only problem is that the approach seldom works to affect the desired change.

Negative punishments are not that common, in practice, and tend to be crafted as a “threat” rather than something actually put into practice. Some organisations will remove employee access to the Internet if they do not complete security awareness training within a certain timeframe, for instance, or if they fail too many phishing simulations.

Negative punishments can work in the short term in targeted ways as a threat, but as soon as someone accepts the loss of the favourable factor, then the threat loses all power. When this happens, the employee becomes an opponent and not a member of the team, and the organisation loses.

Natural Consequences vs Punishments

Punishments should not be confused or co-mingled with “natural consequences”.

If someone does something that has an adverse result, then that result is not a punishment, as long as management or the breach response team does not shift the perceptions of the result as being a punishment. “I told you so!” and “Well, what did you expect?” and “You should have known better!” are very effective phrases for doing that.

Natural consequences need to be understood by the person as being neutral and independent of anything else, and the breach response team can use the opportunity to set themselves up as a “rescuer” of these consequences in a judgement-free way.

The instant that management or the response team applies judgement to the consequences, then the person will see the consequences as a punishment.

The Nuclear Option

Here is the problem with punishments: it is a race to the bottom. If someone accepts the punishment instead of changing behaviours, then the organisation must increase the intensity of the punishment. But there is a hard limit on how far the organisation can go to punish, but no limit to how far an employee can go to not care. The employee always has more leverage in punishments.

If the organisation wants to introduce punishments, and in many cases, it needs to, then it has to recognise the limitations it has in affecting behaviours. Punishments are best applied when behaviours cannot or will not change and the organisation needs to mitigate the risk. In short, punishments need to be seen as “the nuclear option” for when nothing else can possibly work.

The effect on behaviours when all the organisation has are nuclear options is counterproductive to compliance. The organisation, management, and the cybersecurity team need to look to reinforcements if they want to shift behaviours and to encourage compliance over time. There is no limit on reinforcements and the organisation has all the leverage in choosing and delivering reinforcements. Moreover, reinforcements work in changing behaviours.

“Favourable” Is in the Eye of the Beholder

You can be in a situation where you think that you are providing positive reinforcement, but if the person thinks that what you are adding is an adverse factor and not a favourable one, then it will be perceived as, and have the effect of, a positive punishment. I see this disconnect nearly every day.

“We were so happy with how you handled that breach that we want to put your photo on the front page of the intranet and tell your story. Can we video an interview with you on what happened?” For someone who would be embarrassed with this type of attention, this would be seen as a positive punishment (adding an adverse factor). If the person was involved in subsequent breach, they might actively work in non-compliant ways just to avoid the attention again.

Similarly, if you remove something that the person perceived as favourable, then this would be seen as a negative punishment.

Imagine a situation where someone was using their personal cloud storage service in order to share work files, and there was no training or policy against this practice. If the person reported a breach in the way they used the service and the organisation determined that this situation posed too great of a risk and blocked the service, then people would start to hide the fact that they were using these services and hide any breaches that might have occurred when using them.

The better approach when blocking access would be to offer a positive reinforcement for those who reported and switched to a more compliant way of working.

How does the organisation or the response team ensure that its response is seen as favourable? The easiest est method is to acknowledge that everybody is different, provide a range of options, and most importantly, ask and listen.

The Response That Works

It is human nature to want to punish wrong-doers. Unfortunately, the desire to punish is at odds with encouraging compliance. If you want to encourage compliance, you need to reinforce compliant behaviours. It is that straightforward.

The keys to success:

* reinforce compliant behaviours instead of punishing non-compliance
* adopt a judgement-free response to “natural consequences”
* instil a learning attitude to the path of compliance
* ask and listen to people about what they see as favourable factors

Action Items:

* Look for and eliminate as much “unplanned” punishments in your breach and incident response processes
* Eliminate planned punishments that are erroneously expected to change behaviour
* Look for ways to inject reinforcements in your response processes
* Survey your employees to get their perceptions on the response processes

This is an expansion and update of the Behavioural Modification section in my book “Advanced Persistent Training” available on Amazon.

#cybersecurity #breach #ciso #policy #culture

Security
Cybersecurity
Breach Response
Ciso

--

--

Jordan M. Schroeder
The Startup

Written by Jordan M. Schroeder

3 Followers

Managing CISO @ HEFESTIS, moderator of Security StackExchange, author of Advanced Persistent Training.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams