Human Performance Technology (HPT) 1st Project - 1

What Would You Do if You Got a Suspect Email?

Steven Miner Old Dominion University IDT 830 - Principles and Practice of Human Performance Technology Dr. James Marken Fall 2011

Human Performance Technology (HPT) 1st Project - 2

What Would You Do if You Got a Suspect Email? Most people who use email daily know to not open emails or programs within emails from unknown senders as it may contain some sort of virus or malware. Not opening these items is a conservative measure but they know the consequences of allowing such an intrusion onto their computers can have a very negative impact on them. Likely theyve learned this information from cybersecurity training, experiential learning, or from a news report. But, do they know what to do with an email from a relatively trusted source that has suspect information or requests? The Background An experienced computer user at a large company got an email from a government organization hed been working with that contained a link for what appeared to be endorsed anti-virus software. Thinking it was odd for the government to endorse something he forwarded the email to his local office security manager. The security manager immediately recognized an incorrect action (you should never forward any suspect email to others) and immediately contacted the user to discuss what actions hed taken and to provide direction for immediate permanent removal of the email from his system. The security manager did not scold nor lecture the user but did thank her for recognizing it might have security implications (she chose to forward to him vice deleting it herself). Then the security manager began to put on his HPT lens. The Problem Although company employees know what to do with emails from unknown sources they do not know what to do when encountering suspect information from a trusted source. Additionally, they did not know where to find a solution to questions they may have regarding such issues. This Problem Needs a Solution The company has nearly 40,000 employees nationwide who all use a computer daily. In addition to corporate information, they also work with classified government information both of which are

Human Performance Technology (HPT) 1st Project - 3

potential targets for overt and covert espionage. Employees clearly need to have better baseline knowledge and know what options they have for help 24 hours a day. How Bad Is the Problem? A quick review found that the companys annual cybersecurity training clearly defined the actions for receipt of an unsolicited email, file, or hyperlink but did not address actions for suspect information or potential phishing1 attempts. A dedicated search revealed that the company did have a process and although it was within a link on the main company website that all users must log into daily users were not aware of this link. Is There a Quick Fix for this Problem? Fortunately, this particular security manager was also a very knowledgeable computer user and knew what solutions should exist and where to look. After performing independent research within the company he then contacted the security lead within the companys computer department and presented him with the issue and a potential solution. With the corporate computer departments validation, the security manager then provided the solution to his supervisors for review and dissemination. The email with the solution (training on the issue, immediate actions, resources, screenshots of where to find information, etc.) became somewhat of a virus itself as it passed from supervisors to vice presidents to other product lines and eventually the company website ran a story in their daily blog. Additionally, the security manager was asked to assist in the review of the cybersecurity annual training module. What Consequences Exist? There are obvious negative consequences for allowing a virus or malware onto a computer and possibly a computer network. And, as previously indicated, most users know to not open things they

Phishing is the term for garnering information from computer users through creation of fictitious websites and emails that use social engineering techniques to lure suspects into giving up passwords and other private information.

Human Performance Technology (HPT) 1st Project - 4

dont trust or understand. But, what isnt perhaps as obvious is the negative consequence of a user deleting items such as an email from an unknown source or a suspicious link or file from a trusted source. Although the action is quick and the user is likely protected from harm it does not alert security personnel about the issue. This, in terms of Robert Mager, is an undesired performance being rewarded. The performance should be to follow the corporate procedure for notifying cybersecurity professionals but this takes time and may also require a review of the users system. By immediately deleting the suspect item the user avoids the time and intrusion (rewarded with no delay to normal work). Do We Need to Enhance User Competence? User competence is based on their skillset with using computers. They already know how to use their computers proficiently as they do it every day. However, there are two identified issues with their knowledge of a subset of security actions and where to go to find assistance. Users clearly have the aptitude for accepting an advanced decision rule regarding suspicious email but there is concern they may not have the motivation to follow this rule. Hence, obstacles exist with getting information to the users and motivating them to adopt the correct performance. Solutions For this real world example, the solution included the following: 1) Annual training was altered to reflect the new subset to suspicious email actions 2) An email was immediately sent to all employees that included: a. A screenshot for the one-step connection to corporate computer security available 24hrs a day b. Bullet phrased descriptions for what to do in case of examples with simplified performance actions c. A discussion of why it is important d. A discussion of user responsibilities and how not performing these actions could affect the company and the country e. The consequences for users for not complying with the required performance (termination) f. A reward initiative for correctly using the system

Human Performance Technology (HPT) 1st Project - 5

Conclusion The results of the solution are not yet fully realized as the timeframe is too short for reflective analysis. However, immediate positive feedback was provided from senior management through middle management not only for the solution but also for recognition of the process steps that were taken to achieve the solution. A tertiary take-away was that individuals within the system should have ample means of communication (anonymous input, input without fear of reprisal, etc.) to positional authority. As for the local security manager, he got a bonus. ;) References

Mager, R. F., & Pipe, P. (1997). Analyzing Performance Problems. Atlanta: The Center for Effective Performance, Inc.