Do you have a Bieber Policy?!

What are you doing to change behavior in your org to reduce infosec risk?

Many of my guests on Cyber Security Interviews (Perry Carpenter, Joseph Carson, Lance Spitzner, Theresa Payton, Kristin Lovejoy) have talked about people centric approaches to cyber security.

One thing that I did in a prior organization was to implement "The Bieber Policy" for unlocked workstations. Get up and leave your workstation unlocked, you get Biebered, for all in the office to see. 

It was a written policy limited to our security team/group. All you could do was change the desktop background to Bieber photos, you couldn't do anything else (explicit deny).

So what happened? Behaviors changed and people locked their workstations. No one likes being Biebered :(

Something simple to reinforce a policy and keep the shoemakers kids thinking about their OWN organizational security responsibilities in a bit of a silly way. You need to find ways to make security fun.

It also spurred innovation. When Georg Thomas was on the team, he wrote (in C? Georg correct me?) a simple Bluetooth utility that would pair with his phone and auto lock his workstation when he got up and walked away. 

What are some tactics YOU have done to change security culture in your organization and what were the results?