As we’ve pointed out in a few previous posts the basics of infosec have not changed, and neither has the primary threat, the users of the network. Building a solid foundation of compliance to your security policies is fundemental. So how do get your users to invest in and live out your company security policies and procedures? How do you encourage them to be vigilant about security?
The best way to get people motivated is, as Neil pointed out to model good behavior yourself. But it shouldn’t stop there, you should always look for another person to encourage and teach in the ways of good security practices. And of course you should encourage them to find their own disciple. Ideally this kind of thing should be going on at a managerial and team leader level. I’ve found that people will generally rise to the level of leadership that is presented to them. You should be striving to build a culture where users invested in security and know that those around them are as well.
Education is, of course, paramount as users must know about the policies to be able to abide by them. Finding ways to educate users without drudgery can be challenging. Using the mentoring model is an excellent way to spread good security practices, it allows for a level of non-threatening accountability. Another idea is to use contests to reinforce training sessions. I’ve seen some security administrators set aside a few hundred dollars of their security budget to use as prize money throughout the year. use prizes of five to ten dollars to motivate their people to be on the look out for and report suspicious or unknown people in their buildings. The effort has greatly improved employees’ awareness of their surroundings and the benefits easily surpass the minimal cash investment by the company.