Brief introduction

November 30 is Computer Security Day, which is a good opportunity to remember the regulations that form the administrative basis of security. Since the introduction of NIS2 Directive, organizations that were not previously required to do so must now also regulate computer security. But this blog post will explore the difficulties involved in doing so.

Information security is no longer just about passwords and firewalls. Organizations are introducing more rules, procedures, and technical restrictions, rightly so, to protect their data. At the same time, these rules can overwhelm users, a phenomenon that has even been given its own name: compliance fatigue.

What is compliance fatigue?

Compliance fatigue occurs when employees are faced with so many rules, regulations, and safety messages that they no longer know what is important and what is not.

This can have dangerous consequences, as users automatically click on the “I understand” button, circumvent the rules (“I’ll just send this quickly by email, it won’t hurt this once”), or completely lose their security awareness. Accepting cookies and/or data processing notices can also fall into this category.

The result: too many rules weaken the very security they are meant to protect.

Introducing rules based on risk

1. Targeted regulation – only where it makes sense

Not everyone should be subject to the same rules. An HR employee and a developer work with different risks. It is less important for the HR colleague to read the section on secure coding in an IT security policy, but the developer may not need to familiarize themselves with the rules on background checks for new hires. Targeted, risk-based regulation is likely to meet with less resistance and may also be more effective.

2. Communicate in human language

Instead of using terms such as “prohibited,” “strictly,” and “mandatory,” explain the reasons. Sometimes it is unavoidable to use these words, but they should be avoided whenever possible. It is worth providing explanations for the various rules. An example of this is that incidents must be reported. However, if the policy does not provide examples, it may not be clear whether an event is an incident. Therefore, if the policy explains in a way that is understandable to the average user that the unavailability of data recorded in an information system (e.g., deleted data) is an incident, then when the user encounters such an incident, they are more likely to report it.

3. Small steps, big impact

Don’t overwhelm users with the entire IT security policy at once. It is advisable to create a training plan in which the creator of the policy explains it and illustrates the purpose of each rule and the circumstances in which it applies using the examples mentioned above. It may be advisable to prepare an excerpt from the policy (or several, depending on the roles) that contain only the rules applicable to the targeted colleagues. This is already a step towards ensuring that the regulations are read by the target audience.

Gradual introduction – for example, one new security feature per month, such as MFA or data classification – helps users get used to the new processes while gradually learning about the regulations.

4. Gamification and positive feedback

Rewarding safe behavior (e.g., “Cyber Hero of the Month”) is much more effective than punishing mistakes. If an organization focuses on threats of disciplinary action, it can be counterproductive, while incentives help ensure that rules are properly applied.

People are more willing to participate in programs that give them a sense of achievement. A quiz game with information security questions can be very successful because it does not take long, and participants can learn about cybersecurity awareness while enjoying the competition. Based on my own experience, the title of “Organization’s Cybersecurity Mogul” can be held for one year and has proven to be an effective incentive and competitive force!

5. Ask for continuous feedback

Don’t consider the rules to be final. Ask for feedback on which regulations hinder work and what can be improved. If there is a rule that we have introduced but is clearly not working, don’t force it any further. Every rule is only as good as its compliance. In such cases, examine whether there is another way to achieve the same goal. There must be another, alternative way!

Asking for feedback not only involves employees but also increases the maturity of the safety culture.

Connection to objectives in standards (e.g., ISO 27001)

This approach is consistent with controls A.6.3 and A.6.7 of ISO/IEC 27001:2022, which emphasizes the role of user awareness, training, and behavior modification. It is very important that organizations place appropriate emphasis on this, as it can be shaped to be the most effective and rewarding investment. The implementation of a cybersecurity system may not be as effective as the organization’s employees paying proper attention when applying the rules they have been taught. The goal is for security rules to be a support rather than an obstacle in everyday work.

Closing thoughts

Security does not begin where more rules are created, but where people understand and feel that these rules belong to them. This is of paramount importance!

Computer Security Day is a good opportunity to introduce not only new rules, but also a new approach: human-centered security.

Black Cell has experience with the regulatory structures required by the authorities, as well as in-depth knowledge of the areas to be regulated as required by auditing organizations. Contact our Compliance division for the assessment, audit, and development of your regulatory structure to make it more optimal!

And one more thing; Black Cell Academy is a role-based e-learning awareness platform that is suitable for cybersecurity training as well as gamification. The platform allows organizations to integrate their own internal training into the system, bringing all training together in one place.