In its basic form, apathy is indifference and lack of motivation. An employee who is apathetic often “goes through the motions.” This attitude results in poor performance and doing the minimum to get by. In the case of information security, it’s hard to imagine that doing the minimum keeps information safe. In security, user apathy renders the entire organization vulnerable.

Policies by their nature cannot anticipate every situation. Talented and trained individuals will always be needed to deal with the unexpected. The combination of an apathetic worker with an unexpected security incident can result in disaster. A simple delay in reporting a potential incident, for example, could mean the difference between preventing an incident and having to deal with its aftermath. An apathetic worker can miss the opportunity to prevent sensitive information from getting into the wrong hands, leaving thousands of angry customers whose personal privacy has been breached.

Well-defined security policies assume a certain level of noncompliance and even worker apathy. You build redundancy into security policies to detect and react to security breaches. In this way, you don’t have to rely on any one individual to maintain security. A good example is automated escalation. If an administrator is paged about a potential security breach and fails to respond within a given time limit, an escalation page is sent to a supervisor. Security policies can require such escalation.

Overcoming the effects of apathy on security policies is a combination of the following:

• Engaged communication—Get leaders to listen to reasons for worker apathy. Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role.
• Ongoing awareness—Continually reinforce the message of the value and importance of information security. Good security awareness can be a preventative measure against apathy.
• Setting the right expectations—Ultimately workers are expected to follow policy as part of their jobs. Compliance must be monitored, and individuals must be held accountable.
• Creating some layers of redundancy—Some layers of redundancy are good. Avoid, whenever possible, sole reliance on any individual or single technology. Frankly, the more redundancy an organization can afford, the better. However, redundancy is expensive.
• Recognize and reward compliance—Seek opportunity to spotlight individuals who model the desired behavior. This can be as simple as public recognition by a senior executive or a small gift card reward. Rewards are a fantastic motivational tool.