Have you ever tried to work when you’re really sick? I don’t mean a little cough or sniffles. I’m talking about a genuine, drag-out, “can’t get out of bed” illness — the kind where it hurts to stand up, let alone go into the office.
I hate to admit it, but I’ve gone to work in that condition — you probably have too (although pretty much everyone agrees we shouldn’t). Maybe it was that time that the critical project’s deadline was looming, maybe we were shorthanded during a critical application rollout, or maybe it was when we had a critical meeting with the overseas investors. Whatever the reason, we just really needed to go in — and so we did.
Now before you get defensive, I’m not about to join the chorus saying to stay home when you’re sick (which in the interests of public heath, we really should). That’s not why I’m bringing it up. Instead,I’m bringing it up to illustrate the variability of employee performance. Here’s what I mean: Take a moment to visualize the experience you had trying to work when you were sick — stuffy head, aching limbs, fever, maybe “juiced up” with cold medicine. How productive were you at that time compared to an average day? Clearly less productive, right?
Changing State of Mind
The point I’m trying to illustrate is that different situations and contexts — different employee states of mind (like being sick) — have a direct impact on employee job performance. In other words, the ability of employees to do their jobs varies. Not surprising, right? In the example above, being sick has an impact — in this case, a negative one. On the other hand, being well-rested has a positive impact. For example, studies done by NASA suggest that napping increases employee alertness and thereby performance and effectiveness (seems straightforward — you’re less alert when you’re tired.) The point is, it’s important for us as managers to realize that employee performance is not a constant. Every aspect of how an employee does his or her job varies from individual to individual, from day to day, and according to their state of mind. These factors have a demonstrable impact on performance, efficiency and quality.
As managers, we spend quite a bit of time and energy evaluating how employee state of mind — things like morale and job satisfaction — because these factors directly impact employee retention, safety and quality. However, how often do we stop and assess how those same factors impact security? Because they do have a security impact, and a security organization that can understand (even in broad terms) the mood of employees has an advantage. It’s similar to the advantage that a card counter has at the blackjack table. Just like the card counter can bet smartly based on knowing when the odds favor the house vs. the player, a security organization that understands employee morale, stress and fatigue (in aggregate) can understand when their organization is at a higher or lower level of risk — and plan according to that knowledge.
Increased Risk, Decreased Control
First of all, it’s important to understand that employee attitudes influence security both in a positive and a negative way. On the positive side, employees act as agents and enforcers of security policy. Employees in the security organization do this overtly, but every employee has a role to play when it comes to safeguarding information, when it comes to responding appropriately in a time of disaster, and when it comes to keeping alert for (and reporting) security incidents. Turn down the dial on an employee’s ability (or desire) to do these things, and the degree to which your policies are appropriately followed will decrease accordingly.
On the other side of the equation, employees are also the single largest risk factor for organizations. Internal employees (intentionally or otherwise) often put data at risk by virtue of the level of access that they need in order to do their jobs. Employees can cause quite a bit of damage when they’re so inclined, either through overt mischief or through failure to follow appropriate security measures. Ratchet up an employee’s demotivation, ill will and hostility to the organization, and you can expect a higher level of risk as a result. Some employees are going to be more likely to be overtly malicious, while others will just be less gung-ho about doing everything in their power for the organization to succeed. Either way, it puts data and resources at risk.
Stress, Fatigue and Morale
Understanding that employees have this type of impact is one half of the equation. Understanding specifically which states of mind are undesirable is the other. Earlier, we used the example of morale to illustrate the negative impact of employee behavior. So if you’re in a situation where employee morale is at a low point — such as during an acquisition or layoff period — it behooves the security organization to increase security-related vigilance during this period of increased risk. However, there are other factors as well that impact risk: namely, stress and fatigue.
Employees that are stressed, overworked or fatigued (for example, when they are “under the gun” due to deadlines, inappropriate levels of staffing, or increased work volume) are less likely to have the time and “cycles” required to ensure that security procedures are appropriately followed.
Think about it this way: If you’re a system administrator whose job includes both application maintenance and log file review, are you going to prioritize keeping the application running or looking for security problems in the log when you don’t have time to do both? Undesirable as it might be, chances are that security will fall by the wayside in this case. So again, it behooves a smart security organization to understand when employee stress is at a high point and, for example, deploy automated measures that are not reliant on employee action to compensate. As with morale, understanding when employees might be less likely to follow security measures can put an organization in a position to react in a way that counterbalances the increased risk they are under.
Of course, getting good data about these factors is not something that most security organizations are used to routinely gathering, so it’s useful to leverage what data is available. Larger organizations might have folks within human resources who keep a bead on these things via employee satisfaction questionnaires; if so, leverage that data if you can, but understand that this is likely to be far from the norm.
Keep an eye on formal metrics if they’re available, but in absence of that, keep an ear open around the water-cooler; it’s not hard to tell when employees are dissatisfied or overworked.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.