Addressing the Human Security Vulnerability

Computerworld - So, you have the best firewall, intrusion-detection and antivirus systems technology has to offer. Yet, despite your Fort Knox approach, you're still hit with security breaches and the occasional malware du jour. One reason for this may be the lack of motivation by your workers. Unlike owners, they don't have a direct interest in the success of the company. Or do they? How far are they willing to go to ensure corporate success?
Usually, not very. In fact, in most cases, they don't put much additional effort into executing their duties -- just enough to get the work done and retain their jobs. According to Ken Shaurette, information security solutions manager at MPC Technology Solutions, however, "a too-often overlooked way to improve these attitudes is to include information security in the job descriptions of employees." When your organization makes security awareness and policy compliance mandatory, the apathetic trend can be reversed.
When management requires security policy compliance to be a key part of an employee's job, interest is generated. An added benefit is that security becomes part of the corporate culture. With performance reviews (hence, possible raises) looming periodically, employees are more apt to fit compliance into their daily routine. Knowing that they're being graded encourages employees to comply with policies.
Shaurette encourages employers to include a wider cross section of employees in the interview portion of security assessment and in compliance reviews. These additional personnel will automatically gain a better awareness of security issues simply as a result of their exposure to security professionals. Not only will they add their input as to what data should be gathered for analysis, but they'll also come away with a better appreciation of the need for assessments. When they're a part of the compliance review, employees "will get a sense of ownership of the final results from the assessment," says Shaurette.
Inclusion alone won't always solve employee-apathy problems, however. Here are some other ways to reduce security risks created by employees who just don't care.
Monitoring. One solution that maybe isn't palatable but certainly is effective is employee usage monitoring. Tracking employee PC use can result in negative repercussions for the company, but it's one sure way to establish control over the network. Monitoring needs to be carried out in such a way that employee dignity is protected -- a daunting task because few tools are available to automate the process. "Doing the monitoring can become a very heavy administrative burden or require many application modifications that are often not even possible