P is for password, it’s also for pwned.

“I don’t need a password manager, I use a pattern so I remember them”. Hearing these words strikes fear in the heart of the security professional, and we hear them with terrifying frequency because that is what people (ordinary people, our users) do. They use some kind of predictable pattern, maybe with a little variation on just about every site or application they frequent. Including the corporate ones, we are paid to protect. Let’s face it, who can blame them.

The most recent set of NIST guidelines for passwords acknowledge the challenges faced by users of our systems and are designed to put the user first by making good security hygiene a user friendly process. At ThoughtWorks we wanted to update our password requirements to meet to meet the new guidelines and we thought, that since we have always had the policy of allowing/encouraging people to buy and to expense a Password Manager, we thought it should be a pretty straightforward process.

Well, it turns out we were making a lot of assumptions. Our policy was not actually well advertised or consistently applied and anecdotal evidence suggested that we weren't quite as security conscious as we imagined. We set about validating our assumptions with some user research and we learned a lot. On the one hand, we had a lot to be proud of, but there was an awful lot more that could be done.

As a result of this work, we have set ourselves a goal to drive behaviour change, not only with respect to our corporate information systems but more broadly. Our work is guided by the principle that that good personal security hygiene, amongst ThoughtWorkers, not just at work, but in every aspect of their digital lives is the best way to protect our systems.

Come to this session to learn about what we found and what we did about it, specifically; how to take your users on a security journey with you, how to leverage the skills of your technologists to support and help your technophobes.


Outline/Structure of the Case Study

Intro and background 5m

Research method and results 5m

Research Outcomes 10m

Next steps 5m

Results to date 5m

Lessons learned 5m

Q&A 5m

Learning Outcome

Attendees will be provided with a step by step guide for driving wide-scale behviour change. The importance of taking users on a journey, how to make a business case for more user-friendly security.

Target Audience

Change Manager, Information Security professionals.

Prerequisites for Attendees

No prerequisite knowledge required.

schedule Submitted 5 years ago