Top 5 reasons not to use fear to encourage security compliance
Security is important in any organization, but getting employees to follow protocol can be a challenge. Tom Merritt offers five reasons why using fear-based motivation techniques is not ideal.
Oh, these people who are using insecure passwords, clicking open phishing emails and installing malicious apps–why don’t they understand? We’ll show them, right? If you don’t follow the security protocols, you’re in for it. “Fear will keep the local systems in line.” Wait… Grand Moff Tarkin said that in Star Wars. It didn’t work out so well for him. Maybe fear isn’t the best way to get your staff to be more secure. Here are five reasons why you shouldn’t use fear to encourage security compliance.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Fear fades. You burn out and get used to it. “Yeah, yeah, yeah, bad things are gonna happen. I heard it the first thousand times.” A much better tactic is to get people to want to be secure.
- People are suspicious of fear mongering. When the fear fades, the skepticism sets in. “I bet those security pros don’t know what they’re talking about. They’re just cashing a paycheck. I’ve never been hacked!” Once you lose trust you’re not going to get compliance.
- Fear can also have other side effects. Punishment can bring limited compliance in one’s employees, not understanding and adaptability. This can end up lowering productivity and innovation. “I’d better just follow the rules, not try anything new.”
- Fear can lead to cheating and shortcuts. The classic case? You tell staff to use long passwords, don’t reuse them, and don’t write them down. How are they supposed to do all that and remember their passwords? Maybe just give up on following the rules since you’ll get in trouble anyway. A better idea might be to give them tools for better password management.
- Fear demotivates. Yelling, punishing, and threatening does not make for a thriving workplace culture. Getting people on your side and wanting to improve security is much more sustainable.
Listen, I’m not going to punish you if you don’t pay attention to these five things. Right? We both want better security compliance, so think it over.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.