In its basic form, apathy is indifference and lack of motivation. An employee who is apathetic often “goes through the motions.” This attitude results in poor performance and doing the minimum to get by. In the case of information security, it’s hard to imagine that doing the minimum keeps information safe. In security, user apathy renders the entire organization vulnerable.
Policies by their nature cannot anticipate every situation. Talented and trained individuals will always be needed to deal with the unexpected. The combination of an apathetic worker with an unexpected security incident can result in disaster. A simple delay in reporting a potential incident, for example, could mean the difference between preventing an incident and having to deal with its aftermath. An apathetic worker can miss the opportunity to prevent sensitive information from getting into the wrong hands, leaving thousands of angry customers whose personal privacy has been breached.
Well-defined security policies assume a certain level of noncompliance and even worker apathy. You build redundancy into security policies to detect and react to security breaches. In this way, you don’t have to rely on any one individual to maintain security. A good example is automated escalation. If an administrator is paged about a potential security breach and fails to respond within a given time limit, an escalation page is sent to a supervisor. Security policies can require such escalation.
Assigning a security liaison within a department or group can often be a way to effectively engage a group of workers. Someone who knows the personalities and language of the group can convey the security message in a positive way.
Overcoming the effects of apathy on security policies is a combination of the following:
13.59.154.190