In a recent blog post about organizational security resources, we shared a link to a survey we have used to better understand a staff’s use of technology. In this post, we want to dive deeper into the rationale behind the questions we’ve developed and share a few questions and challenges that remain.
Why a survey?
In our work supporting the development of effective organizational security practices, we have found it useful to begin by engaging the organization’s staff in a survey. This survey is meant to capture an overview of how staff of an organization use technology, both personally and in their work.
We find surveys particularly useful in this process because:
- They create a baseline for how the staff currently uses technology
- They help us craft relevant follow-up interviews with staff
- They help us set a scope for our security recommendations for the organization
The results can easily be shared with an organization’s management to provide them with information that they may not know about what technology their staff are using. This means that right from the start we are creating something useful for an organization.
What questions do we include in the survey and why?
We start by breaking it down into security-related categories: Hardware, Software, Software updates, Internet Use, Security, Data Storage, Phone, and Travel. The categories are helpful for organizing different security risks and crafting a custom security plan for each staff member.
You may be surprised that security is a standalone question. Remember that this is to understand an organization’s technology use at the beginning of a security support process. That means that at the time of the survey, their use of security technology (and understanding of it) is likely limited.
Within each category we have various questions that let us know how much experience each staff member with particular technologies. We intentionally frame the questions in a way that doesn’t make people feel stupid or defensive. Here are some example questions from the category on security:
What kind of passwords do you use normally?
- Long complex ones that my password manager generates
- A few complex passwords that I remember
- A few strong ones that I use for my important accounts
- A simple password that I can remember for most accounts
How often do you change your passwords?
- Not unless a program tells me I have to. If it works, why change it!
- I have had the same since high school
- I change them every few months
- I am password ninja with long complex passwords that I change frequently
The survey draws out different levels of security experience and insight within the organization. Imagine a staff that has a few people who are very knowledgeable about secure browsing on the internet, but never update their passwords for their accounts. Within that same team, there might be staff that use password managers for creating and protecting account passwords, but who don’t know how to check that sites are secured with SSL. Learning about the different digital habits of staff members can help us identify (and empower) existing security champions to plan hands-on trainings and opportunities for skill sharing within the team.
What do we do with the results?
The first step is to make sure everyone fills out the survey. How long it takes for different team members to take the survey can be an interesting way of detecting who is excited about the process (and who may need some extra convincing). Once the results are in, we do some preliminary analysis to see if we can find any interesting insights. We then begin to prioritize awareness raising and training based on low-hanging fruit. This makes it possible to find entry points for early engagement and successes.
We share the information with the organization in three ways:
- we provide them with an overview of the hardware and software that their team uses so that they can better understand how tech is used in their team
- through conversations and the information we collection from the surveys, we identify high priority threats and low hanging fruit (like https and passwords)
- we use the data to develop a plan that management and technology leads in the organization review with their team
Later in the process we use the data to check back on progress (and remind the organization that even though security improvements can feel like a drop in the ocean, that they have come far in their work).
What questions and challenges remain?
We are interested in improving the way that these survey results can be used to monitor and evaluate the type of support we provide. Right now the survey is very useful for diagnostics, but we want to use it better as a progress indicator and check-in. We’re also interested in exploring how we can use microsurveys throughout our support process to measure one or two things and can be filled out quickly and frequently. We would love to hear from you if you’ve had success or informative failure with using data-driven approaches to motivate organizational change. We also really interested in working with more organizations who are looking for help tackling organizational security challenges.
Here is a link to the initial survey we use with organizations; and here is a link to a survey that Equalit.ie uses.