why don’t they do as they’re told?

© Goucher Consulting Ltd, 2014

Why Don’t They Do as They’re Told?

Wendy Goucher

© Goucher Consulting Ltd, 2014

Special Note This deck appears as presented at the Malta

Chapter conference (with pictures pro-tected).

This means there are no notes or expla-nations. If you want to ask me to explain

something then please do drop me an Email to

wendy@goucher.co.ukAnd I will try to explain myself in a

slightly morehelpful way.

Special thanks to everyone for making us feel so welcome

© Goucher Consulting Ltd, 2014

Mobile Working

3

© Goucher Consulting Ltd, 2014

Risk

4

© Goucher Consulting Ltd, 2014

Why?

5

© Goucher Consulting Ltd, 2014 6

Why?

© Goucher Consulting Ltd, 2014

Because they’re Stupid?

7

“People are the Weakest Link in Information Security”

Weakness needs considered handling and exercise

© Goucher Consulting Ltd, 2014

The Challenge of Mobile Device

Security• Just telling them doesn’t work.

• Rewards and Punishments are ineffective in the medium term.

• They are going to be out of your reach.

8

© Goucher Consulting Ltd, 2014

Internalisation • Understand the risk• Believe in the risk• Trust the solution • Believe in their

implementation

9

© Goucher Consulting Ltd, 2014

Building Intentions

10

Wendy Goucher’s work. Please respect my IPR

© Goucher Consulting Ltd, 2014 11

Behavioural Intention

Gulf of Execution

Insecure or lack of secure

behaviour

Secure Behaviour

Abandoned intention

ConversionMotivation Deterrent

The Road of Good Intentions

Wendy Goucher’s work. Please respect my IPR

© Goucher Consulting Ltd, 2014 12

Management

Lack of trust in source expertise

Inappropriate Training

Lack of Commitment

Elapsed Time since last

performed

Lack of Expertise

Response CostAutonomy

Visible Monitoring

Commitment Habit

Feedback channel

Positive Re-enforcement

Employee Participation

Response Cost

Self Efficacy

Tension between task and security

Work Pressure

Resource Scarcity

Implementation intention

DeterrentsMotivators

External Source

Internal Source

Internal Source

External Source

GoEWendy Goucher’s work. Please respect my IPR

© Goucher Consulting Ltd, 2014

Make it Meaningful

13

Most people care more about

Personal Risk than Corporate

Risk

Use That Knowledge

© Goucher Consulting Ltd, 2014

Why don’t they do as they’re told?• Because they don’t believe or

understand the risks.• Because they don’t think the risks are

significant.• Because they find the controls get in

the way of their work.• Because they don’t think the effort is

worth it.14

© Goucher Consulting Ltd, 2014

Hints and Tips • Communicate the Risk• Make their effort meaningful• Operational Compatibility • Make controls and guidance a

matter of principle rather than specifics

15

Operational Compatibility

© Goucher Consulting Ltd, 2014

Any Questions?

16

wendy@goucher.co.uk