6

What are the equivalent digital parallels to the practice of offering bonuses to employees challenging persons in a secured area without a visible badge?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
  • 1
    I like this question, but I'm finding it hard to see what kind of policy would maximize this... Looking forward to the answers – AviD Nov 21 '10 at 10:10
  • Hmm, now that I think about it - the question has a builtin contradiction. For a policy to "maximize detection", @Graham has a good answer... BUT if you're asking about "an equivalent parallel" to offering bonuses to employees, then @sdanelson's answer is spot on - and about as useless as the employee bonuses. To clarify, what I'm saying is **"the practice of offering bonuses to employees challenging persons in a secured area" does not maximize incident detection**. – AviD Nov 22 '10 at 11:09

3 Answers3

2

The policy that improves incident detection is a policy to equip security staff with automated monitoring tools that save them from the tedious legwork of scouring log files and performing manual detection. By analogy: you don't improve physical security by asking your guard to walk faster, you give him CCTV monitors.

2

After thinking about this for a bit, and seeing the couple of (conflicting) answers that were offered, I realized - this is no different from your question on "What policies maximize employee buy-in to security?".

  1. Awareness
  2. Social norms (as per @Graham's answer there) - employees need to feel that they are expected to say something. Not quite "See something, say something" - more like "This is your office too, you'd say something if somebody walked into your home, wouldnt you?"
  3. Getting them to care.
  4. Priorities. Employees need to see that management cares about this too. Not by giving bonuses, but by actions. E.g. CEO goes over to a stranger... Or, contrarily, if an employee was late because he was questioning strangers or whatever, there shouldnt be repurcussions...
  5. Appropriate tools, much as @Graham mentioned here. Moreover, automate detection as much as possible! Invest in good tools for the job at hand, and remove as much as possible reliance on the people.
AviD
  • 72,708
  • 22
  • 137
  • 218
1

I think the answer is a policy that rewards the reporting of unusual activity. IE software/hardware that is running abnormally slow, crashing unexpectedly, etc. The policy could also cover the discovery of bugs, misconfigured software/hardware, and poor practices.

In a healthy organization a lot of this activity should already be going on. IE users calling the help desk to report that their computer is running really slowly. The policy would just formalize the rewarding/recognition of employees who help discover incidents.

sdanelson
  • 1,287
  • 10
  • 21
  • 1
    Re "policy that rewards the reporting of unusual activity", as Schneier says if you ask amateurs to do your security, don't be surprised when what you get is amateur security. –  Nov 21 '10 at 23:21
  • 1
    I agree with Schneier. For those interested the article that Graham quotes can be found at http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html. – sdanelson Nov 22 '10 at 02:17
  • 1
    I accidentally hit enter on my last comment. I don't think that the question or my answer opposes what Schneier argues. End users are not security experts, but end users are familiar with the software and hardware that they use on a daily basis. See Schneier's earlier article titled "Recognizing "Hinky" vs. Citizen Informants". – sdanelson Nov 22 '10 at 02:47
  • Another problem with this is that whatever you're rewarding for, will be gamed. You reward for reporting slow hardware? Expect everything to slow down. You give bonus for finding virus? All of a sudden every single virus appears in your network. And so on... – AviD Nov 22 '10 at 07:36