You Picked a Fine Time to Leave Me Lucille…
In the famous Kenny Rogers song Lucille, a scorned husband confronts his cheating wife in a bar and publicly shames her by reminding her that she “…picked a fine time to leave me Lucille, with four hungry kids and a crop in the field.” (my apologies if that song is now stuck in your head). While shaming did not work in that song, can it be an effective tool in enforcing security policy? Surprisingly, the answer may be yes.
Forbes Magazine just released a study of trends in cyber security and one of the surprising things they found is that people are more concerned about their Facebook or Twitter accounts being compromised than they are about someone getting a hold of their credit cards. This concern stems in part from the public shame associated with your friends and followers finding out that you have been hacked. If a hacker gets your credit card information, that is between you and your bank. If that same hacker gets control of your Facebook page or Twitter feed all of your friends will know about it, and it will probably be one of your friends who tells you about it.
How do you translate shaming into a corporate policy? Mark Harris, of the University of South Carolina, presented a paper at the 2012 Southern Association for Information Systems (SAIS) Conference entitled “Shaming as a Technique for Information Security Policy and Training Adherence” [PDF]. In it, he argued that some types of shaming can be effective in enforcing IT Security Policy. As part of his research, Professor Harris described an IT Security Policy violation and surveyed a group of people about their opinions on the harshness of a range of punishments for that violation. Firing was rated the most harsh, but the surveyed group felt that "A photo of you and others that made the mistake is posted on company bulletin boards and in break rooms” was almost as harsh. In fact, that version of public shaming was deemed harsher than being demoted and getting written up by a manager.
Of course, there are concerns associated with engaging in shaming behavior that users consider near equivalent to firing. But, other forms of peer shaming, such as “A list of those that made the mistake is sent to everyone in the company via e-mail”, were deemed harsh but not in the same realm as firing. Given the increase in the number of successful attacks that start with phishing attempts, finding ways to control user behavior is critical to the success of an organization's security team. Perhaps more research should be done into shaming techniques.