Creating a Zero Incident Culture Copyright 2004 Melissa

Creating a Zero Incident Culture Copyright 2004. Melissa Guenther, LLC. All rights reserved.

Measurement Measuring the effectiveness of security awareness programs usually becomes an assessment of security incident statistics. This is basically an exercise in measuring luck.

• A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future. • Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant. People. • Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work. • Getting people involved in the process - because people are the ones who make changes work - is key. “Organizations don’t change – people change. And then people change organizations. ”

What is a Zero Incident Culture? It is not: • Having absolute security • Regulatory compliance

What is a Zero Incident Culture? • It is the presence of security, not the absence of threats/vulnerabilities. • Behavioral security awareness programs, like Zero Incident, optimize secure work practices and make line workers and supervisors jointly responsible for security. – Management’s role is to determine causes of incidents or potential incidents. – Supervisors focus on secure practices, even if it slows work. – And workers focus on getting the job done securely, making it a priority equal to getting the job done.

Why Strive For Zero? • Accepting a certain level of security incidents in your organization means accepting avoidable risk and loss – financial, public perception, legal, productivity and operational. • Anything less than Zero as an operating philosophy and goal is unacceptable.

What is a Zero Incident Culture? • A culture that views every incident as an operational error. • A culture in which security is integrated into all operations. .

What are the Benefits • Protection of our most important assets financial savings / ROI • Transcends security – improves quality, morale, productivity, profits & employee knowledge and ownership of success.

Danger Signs • Unclear who is responsible for what. • Belief that everything is ok, “we are in good shape” • Belief that rule compliance is enough for security (If we’re in compliance – we’re ok) • No tolerance for whistle-blowers – “culture of silence” • Problems experienced from other locations not applied as “lessons learned” • Lessons that are learned are not built into the system • Defects / errors became acceptable • Security is subordinate to production • Emergency procedures for severe events is lacking

Danger Signs • Policies and Procedures are confusing, complex and “hard to find” • Security resources and techniques are available but not used. • Organizational barriers prevent effective communication. • There are undefined responsibility, authority, and accountability for security. – Security belonged to “IT” • The acceptance of defects / errors becomes Institutionalized. – Because nothing has happened (or we are unaware of what has happened), we’re ok. • Culture is resilient, hard to change, and will revert to old habits if not steered by leadership.

Company Culture Production Culture - vs. - Security Culture Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.

What is a Production Culture? • • Belief that only production matters. Whatever it takes to get the job done. Security performance is not measured. Security performance is not part of supervisor’s job.

Security Culture • Security is not a priority - it is a corporate Value. • All levels of management accountable. • Security performance measured & tied to compensation. • Security integrated into all operations.

3 Major Steps to a Zero Incident Culture To get there you must take AIM • Assess your current culture • Implement the 12 upstream elements • Maintain the culture change

Assessing Security Culture Diagnosing Organizational Health

What Ails Us • • • Symptoms Coughing Pale skin Constricted pupils Pain Deformity Nausea/vomiting • • Signs Elevate temperature High/low Blood sugar Rapid pulse Shallow respiration Confirmed by: Palpitation - X-rays - Blood tests - Urine Tests Examination

What Ails An Organization • • Symptoms Uncorrected vulnerabilities Low employee involvement/accountability Fear Lack of feedback Poor security practices Zero-reporting Leaders not walking the talk • • • Signs High incident rates High frequency rates Low incident reporting Low security audit scores Increased cost per employee work-hour Confirmed by: Culture Surveys – Focus Group Interviews – Management Interviews

Why Measure Perceptions? • Perceptions are reality. • Regardless of management’s intent regarding security – reality is what employees perceive about security. Security Opinion Survey • Survey measures the drivers of a security culture against a potential perfect score of 100%. • The gap (how far from 100%) in each driver will

Key Drivers of Security • Risk/Hazard Correction • Security Communications • Behavioral Reinforcement • Security Values • Management Credibility • Accountability

Security Opinion Survey • Survey also measures the difference in what employees and management perceive about the security culture. • Typical results are that management perceives security as more positive than do employees. • The larger the gap the greater the

Risk/Vulnerability Correction • Measures employee beliefs about the importance a company places on identifying and correcting risks/vulnerability. • A belief that effort and resources are expended to correct risks/vulnerability supports a positive perception regarding the company’s commitment to security.

Accountability • Measures whether respondents believe that supervisors are truly accountable for security performance.

Communications • Security communications, or the lack of them, shape perceptions regarding the company’s security commitment. • Measures employees perceived freedom to discuss security issues. • Determines employee fears regarding communicating security issues.

Behavior Reinforcement • Measures perceptions regarding effectiveness (or lack of) adequate feedback and reinforcement. • Also measures perceptions on how effectively leadership “values” security. • Measures perceptions of how well the “actions of security” are modeled.

Security Values • Measures perceptions regarding the company’s commitment to security as a value. • Also measures how the individual values security, as well as, their coworkers, leaders, and company as a whole. • The higher security is valued, the better the security performance.

Management Credibility • Measures how employees perceive management’s support for security – and how believable leaders are. • Sometimes “words” used by leaders are on target but their “actions” undermine their credibility.

Culture Assessment Report Provides gap analysis of security in the “real world” as opposed to the “ideal” security process. Defines the security culture – “what it’s really like” in the minds of employees. Measures disparity gap between management

Zero Incident Culture Continuous Improvement Behavioral Security Each step is a building block supported by the steps below Incident Analysis Training and Education Planning Perf. Coaching Leadership Employee Owned Communications Accountability Values Vision Stairway to Zero Security Incident Excellence

VISION Vision answers the question “where are we going? ”

The Importance of Vision • Vision refers to a picture of the future and discusses why people should strive to create that future. • Clarifies any confusion – “Is this in line with the vision”.

VISION • One of the most famous vision speeches was made by John F. Kennedy regarding space travel. He committed that the United States would send a man to the moon within 10 years and bring him back alive. • It was certainly a stretch – great minds of the time said it was impossible.

VALUES • Values are the ideals or principles of society (organization) • Values define the ground rules (behaviors) for personal interactions in a company. • Clearly defined organizational values are the springboard for all other security efforts VALUES vs. PRIORITIES Priorities can be shifted – values cannot

Organizational Values • All companies have values, whether or not they have identified them. • Many managers may believe security is a value in the company, when in fact, it is not.

Individual Values • Individual values can influence group values. • This influence can be positive or negative.

Espoused Values • Are not the actual values in a company. • These are “what a company would like for it’s values to be. ” • If security is violated frequently, it is simply an espoused value.

Security as a Core Value The vast majority of people will adopt the organizations values if they perceive this is what upper management truly wants. • Employees who will not align themselves with the values of the organization do not fit – (regardless of position)

Accountability “The Engine That Drives Security”

Accountability • Accountability can take us from the reactive mode of constantly putting out fires, to a proactive mode of making sure the security process is in fact working at the operational level Accountability Defined • Someone is accountable when their performance is measured • When someone is responsible, their performance is not necessarily measured • The objective is to motivate performance

Accountability Defined • Obligation to perform duties to an accepted standard…………or else. • Has measurement system, evaluation, and consequences.

Accountability • Supervisors are usually measured on schedule, production, and cost. • They are often not measured on security performance, or not measured effectively and fairly.

Accountability • “What gets measured, gets done” • We tend to “get done” what is measured by our supervisor

Management Accountability • All levels of management and supervision must be held accountable • Security performance must be measured objectively • Must be controllable – Must be fair

Who Should Not Be Accountable? • Those without ultimate control…… The security Professional!! One of the most common structural mistakes

Measuring Performance • Upper management should be measured on results and activities. • Front line supervisors should be measured mostly on activities.

Measuring Performance • Remember – The absence of threats is not the same thing as the “presence of security” • Focus on defining what the Presence of Security would look like—then develop a system to measure it

Results • Results measurements may include: – Incident Rates – Incident Costs – Cost per man hour – Audit scores – Observation Frequency

Activities • Activities may include: – Self Inspections – Awareness – Security and Training and Education – Desktop Meetings – Security Planning – Task Analysis – Behavioral Reinforcement

Accountability Systems • Performance Appraisals – Should be at least annual, more is better, the more communication regarding performance, the more effective – Security should have equal weight to other performance measures

The Difference Between Incentives & Accountability Incentive Programs • Employee focused • Reward for “no incident” (trinkets) • Short-term (contest) • No real consequences • May not motivate • • • Accountability Process Mgr/Spvsr focused Rewards performance Long-term / Ongoing Impacts compensation Impacts career path

Security Communications • Communicating Vision & Values • Eliminating Fear from the Workforce • Communicating Instructions / Procedures

Communicating Vision & Values • You cannot over-communicate vision & values • Takes up to 50, 000 communications to anchor in culture • Must use a variety of methods / forums

Balancing Security with Production Messages • Management often sends mixed messages • Think about how many production or schedule messages employees receive daily in relation to security messages

“Fear is at the root of all the time people spend in meetings not saying what’s really on their mind” Vice President of Fortune 500 Company

Fear in the Workforce • If people are afraid to bring up security issues a serious flaw exists in the security process • It is not possible for a company to move to security excellence unless this problem is corrected

Communication • Build trust & drive out fear of bringing up security issues • Open up lines of communication with employees

Communication • Provide feedback & reinforcement • Provide regular forums (committees) with high employee involvement • Actively solicit & reward employee input about security vulnerabilities, issues, & improvements

Communication • Get personally involved in providing security awareness, training and education • Actions speak louder than words – set the example

Communicating Instructions / Procedures • Never assume that because we told someone what or how to do something, they understood • Explain, then have them to repeat • Follow-up and re-direct as necessary • Communication Includes Listening – Listen with the intent to understand

Employee Ownership • No one knows more about security needs than the people doing the work. • Lack of involvement (buy-in) is epidemic in traditional security programs • Caused by top-down management • Employees will get involved if you “make it safe for them to do so”

Employee Ownership • Start with involvement—work toward ownership • Get employees involved in: – Setting security policy, procedures – Inspections / audits – Behavioral observations & feedback – Conducting security training – Functional security committees

Leadership Developing Leadership for Security

“Walking the Talk” • If the “audio don’t match the video” you lose credibility • One of the most common complaints by employees • Management actions / decisions must be aligned with what we say about security

Performance Coaching Effective leaders help their teams practice perfection Don Shula

Why Employees Don’t Do What They are Supposed to Do • Don’t know: – Why/how • They think: – Your way won’t work – Their way is better – Something else more important – They’re already doing it • Rewarded for not doing • Punished for doing • No consequence for not doing • Obstacles beyond their control

Problems in the workplace are often created not by what we do, but by what we fail to do. Aubrey Daniels

New Focus “Catch me doing something right” • Traditional security only addresses the negatives • If people are not told they are appreciated – they will assume the opposite

EMPLOYEE MOTIVATION • SOON - CERTAIN – POSITIVE • “WHAT GETS REWARDED---GETS REPEATED”

What Gets Rewarded Gets Repeated • The job of the effective leader is to create positive consequences for positive performance • Decrease undesirable behaviors by arranging consequences that will stop them • Increase desirable behaviors by arranging consequences that will positively reinforce them

5 Steps for Effective Coaching 1. Observe the behavior 2. Reinforce all positive behaviors 3. Provide performance feedback (noninvasive) 4. Re-direct (if necessary) 5. Follow-up & reinforce new behaviors

Security Planning • Planning is a major differentiator between a security process that is proactive rather than reactive • When to plan for security – – – New operations / processes New equipment Shut-downs Acquisitions / mergers Downsizing

Security Planning • Plan for emergencies – develop a disaster recovery management plan and PRACTICE. • In a post 911 world, there is no excuse for failure to plan for emergencies.

Task Security Analysis • The single most effective technique for preventing incidents. • Organized system for breaking jobs into sequential steps. • Results in a secure work procedure (much more efficient than relying on “security policy, procedures and rules”).

Task Security Analysis • Perform for all high-risk activities • Use brainstorming process • Get employees involved in the process

Effective Security Awareness Training and Education The only thing worse than training people and losing them is not training them and keeping them.

Security Awareness, Training and Education • Who will conduct training • When, how often, who will keep documentation? • Account for: – Language barriers – Translation / Spanish trainers

Security Awareness, Training and Education • Supervisory and Management Training – Security Management – Leadership Training – Performance Coaching

New Hire Orientations • • Most Important Security Training Highest Rate of Incidents Compliance Required Training Buddy System

New Hire Orientations • Job Specific Security Awareness and Training • Job Rules • Incident Reporting • Retrain After First Day? • Language and Reading Issues

Supervisor Orientations • New Supervisors – Security Program – Duties/Responsibilities/Accountability – Training Needs

Training Improvements • Integrating security into job / task training is more effective than pure “security training”. • People learn more by doing than by hearing • Make all job security training as “handson” as possible

Learning Pyramid Source: NTL Institute for Applied Behavioral

Training Improvements • “See one, do one, teach one” • When we must teach others we are forced to learn it well • Getting employees involved in training other employees is invaluable

Five Step Training Process 1. Explain the task 2. Demonstrate how it is done 3. Allow employee(s) to do it under observation of the trainer 4. Re-direct as necessary 5. Follow-up

Incident Analysis • Only by getting to the root cause can we prevent a reoccurrence

Effective Brainstorming • Use for problem-solving, root cause analysis, or for generating ideas • What is a Root Cause ? • The real or underlying causes of: – Incidents – Insecure behavior – Insecure conditions

Why Investigate for Root Causes ? • Most “causes” listed on incident reports are not causes at all – they are symptoms • Finding root causes allows us to prevent a reoccurrence

Why Analyze for Root Cause ? • Standard incident investigations do not go far enough • Insurance investigations seek to place: – Liability – Compensability – Blame / Fault

Key Security Management Principle • Insecure acts & conditions are symptoms of something wrong in the management system • Root causes will lead to the following general areas: – – Knowledge Skill Motivation Work Process

Symptoms -vs. - Causes • Insecure acts or conditions are not the causes of incidents, they are symptoms of a defect in our system • Symptoms can be observed, but they are not the root causes • Causes are the underlying reasons that allow the symptoms to occur • Root causes cannot be seen—they can only be identified through a thorough investigation.

Root Cause Analysis • To determine root causes—look at the symptoms, gather the facts—then ask the “W” questions about each symptom – – – What Where Why, why and why Who When

Root Cause Analysis • Management creates the job, the environment, the rules, the culture, and the “way things are done. ” • If symptoms are occurring, management must change the system, rather than blaming the employee(s).

Root Cause Analysis • Symptoms - The insecure acts and conditions which we can see that often result in incidents but are not necessarily the root cause.

Root Cause Analysis • Causes - The underlying reasons for incidents which we can’t see can only be identified by a thorough investigation. • Some common examples of causes are: – – – Inadequate training Lack of accountability Inadequate policies and procedures Improper environmental and equipment set up Conflicts in Values

Root Cause Analysis • Failure to address root causes will result in reoccurrence of: – Symptoms – Incidents

Behavioral Security How Behavior Effects Security

“The insecure acts of persons are responsible for a majority of incidents” Donn Parker Father of Security

Not A Magic Bullet Addressing behavior alone is not the magic bullet. • Insecure behavior however, is often a component of the chain of events leading to an incident. • Insecure behavior is a predictor of future incidents. • Looking for shortcuts is NORMAL human behavior. • Allowing insecure behavior to become the norm, reinforces that it is o. k. and that nothing bad

Behavioral Security – What is it? • Belief that human behavior accounts for the majority of incidents • Refocuses security efforts from conditions (regulatory), to behavior • Based on observation & feedback of performance

• • Insecure conditions may include: Poor housekeeping (drink by keyboard, unsecured recycled trash receptors) Insufficient equipment (share PC) PC that is not current in O/S Patches Improper data storage No data classification Facility faults (Doors don’t close correctly, A/C not working - door is left open, etc. Require SS# or other unnecessary personable identifier

Insecure Acts An insecure act might be: – Weak password construction and management – Failure to log off at end of day – Delayed pickup of faxed confidential information at fax machine – Victim to social engineering attempt – Allowing a stranger to walk through building unchallenged. – Door to secure area propped open.

Observation Process • Request to observe employee working: 1. Summarize the secure behaviors that you observed. 2. Describe areas of concern. 3. Ask the employee for suggestions for a more secure way to do the task. 4. Thank the employee for allowing the observation.

Resistance to Change • With change comes resistance. • Culture change will revert to old ways without constant measurement and reinforcement.

Success Factors for Managing Change • Address employee and management resistance factors • Engage employees in action planning process • Establish reasonable objectives and schedule for implementation • Focus on the journey not the destination

Success Factors for Managing Change • • Have an organized system (ZIPP) Pilot first, then implement Recognize early signs of shifting Measure Evaluate Redirect or continue plan Re-evaluate……………

Why Measure Perceptions? • “Perceptions are reality” • Regardless of management’s intent regarding security – reality is what employees perceive about security.

Security Opinion Survey • Survey measures the drivers of a security culture against a potential perfect score of 100%. • The gap (how far from 100%) in each driver will help focus security efforts on lower scoring drivers.

Key Drivers • Vulnerability Correction • Security Communications • Behavioral Reinforcement • Security Values • Management Credibility • Accountability

Security Opinion Survey • Survey also measures the difference in what employees and management perceive about the security culture. • Typical results are that management perceives security as more positive than do employees. • The larger the gap the greater the problem.

Survey Parameters • • Fifteen to twenty questions Likert scale of 1 -5 (negative to positive) Using weighted-average, or mean Standard deviation – how widely scattered are the answers

Vulnerability Correction • Measures the importance a company places on identifying and correcting vulnerabilities. • Are appropriate resources expended to eliminate vulnerabilities?

Security Communications • Do employees feel security is adequately communicated? • Is there freedom to discuss security issues? • Do employees fear that communicating negative security perceptions might lead to reprimands or terminations?

Behavior Reinforcement • Is behavior observed and appropriate feedback provided? • Are positive acts rewarded? • Are negative acts reprimanded?

Security Values • Do employees perceive security is a true value in the organization or an espoused value? • Are production messages overwhelming security value messages and degrading management’s intent?

Management Credibility • Does the audio match the video? • Leaders must “walk the talk” of a security culture to have credibility.

Focus Group Interviews • Helps validate survey results and provides grassroots suggestions for improvement • Employees have less fear communicating when part of a group. • May be the first step in employee involvement and buy-in.

Management Interviews • Identifies the views of management. • Identifies problems in the flow of communication between the corporate level and the field/floor level. • Pinpoints perceived implementation problems.

Confidentiality • Confidentiality cannot be overstressed if you want the truth. • Consider use of a third party for collections. • Perceived lack of confidentiality with online surveys.

Survey Collection Protocols • Keep survey short or will be pencil whipped. • Separate supervisors and employees. • Consider cultural and literacy issues

Baseline Measurement • Initial survey provides a baseline. • Should measure again no sooner than 18 months to determine degree of improvement. • Culture change takes time to anchor.

Sensitive Information • Be careful how sensitive information is used if used in a punitive manner, you will never regain trust. • Once you open the door to communication you may be surprised at what is going on.

Culture Assessment Report • Identifies the strengths & weaknesses in the security culture. • Provides starting points for effective intervention. • Makes specific recommendations for improving the security culture.

What To Do With Information • A survey without intent to change will send the wrong message and may do harm. • Communicate the results of the survey to employees. • Involve employees in improvement plan. All content is copyrighted material and may not be duplicated, distributed, transferred, transmitted, copied, altered, sold, used to create derivative works, or otherwise misused.