Monday, July 12, 2010

Enforce Security Practices by Disrupting Work Flow

Convincing some people to practice good security in their daily life can be a challenging task. If someone chooses to be careless with their personal computer it may be frustrating, but there really isn't anything you can do to force them to practice good security. At least not in any ethical way. But what happens when you are a system administrator for a small company and the employees there don't seem to care about following the company policies for security?

I know a system administrator who had a creative solution to this problem. In an office that had a lot of clients and visitors coming in and out frequently, it was important for employees to lock their workstations when they would walk away from them. Some of the employees, however, failed to view this as a priority either because it slowed their work flow on returning or they simply didn't care. So the tactic the sysadmin would take was to punish the employee in a relatively harmless way so that through the magic of operant conditioning they would learn to lock their workstation.

The punishment the sysadmin chose was one that would disrupt their work flow and cause inconvenience rather than harm. The key was to ensure that the inconvenience for not locking a workstation is greater than the inconvenience incurred by locking it. So what did he do? When the employee left their computer unlocked, the sysadmin would create a new text file on the user's desktop and name it something like "I will lock my screen.txt". Then he would copy the file around 400 times so when the user would return their desktop would be covered in copies of this file. Since a lot of users save files to their desktop and launch programs using shortcuts that are stored there, this caused them consternation when trying to open new files and programs. Was it annoying? Yes. Was it harmful? No. Was it a little bit childish? Possibly. But did it change the behavior of the employees? You bet it did.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.