ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

American View: Why You Owe Your Users an Explanation When Security Processes Change

Linked InTwitterFacebook

One of the core philosophies of the security human risk management profession is that people who wilfully and knowingly violate mandatory security controls are not necessarily motivated by malice. In many cases, violators genuinely believe that their actions are correct and necessary. They might misunderstand the need for a control, or how the control works, or what the stakes are that the control attempts to address. Most often, I’ve found that wilful noncompliance comes from well-intentioned workers not understanding why a control is needed. This is especially true when control changes occur; once people get used to a process, changes to how they execute it become an annoyance. 


I understand why this might seem strange; business school types teach that workers are perfectly rational actors who will obey orders unquestioningly. That’s a fine assumption for a small case study, but it’s absurd when expected in the real world. People aren’t robots. The notion that management can simply give an order and expect instantaneous and total obedience is preposterous. People instinctively resist change even when it’s good for them; if you can’t convince people of the need, utility, and value of your required change, your workers will usually resist the required change on principle.


This is why I teach new security human risk people that it’s critical for them to explain why a change is necessary when introducing new protocols, processes, or controls. Sure, explaining the “why” part takes extra time and effort, but doing it pays dividends down the line in the form of greater compliance. 
This idea came up in a strange way Saturday morning. I was on the couch finishing my coffee, waiting for my eyes to uncross. My boys were passing back and forth through the living room, arms full of Warhammer minis, getting ready for a match against their mates at The Citadel up in Grapevine. [1]


I listened patiently while my boys chatted tactics and rules relevant to the day’s battle. When they said something that I didn’t understand – which didn’t take long; I’m not a Warhammer player – I asked them to explain what they meant by “1d6+4 attacks” for a mortar squad my youngest was planning to field. [2]

After explaining the rules of artillery scatter effects against units, my boys pivoted to explaining the game design logic behind why the rules are currently written the way they are. If I understood them correctly, the process for field guns and mortars had – up through Warhammer 40K 7th Edition – involved playing a plastic “template” over whatever target the attacker wanted to shell and then rolling a bunch of dice to determine how far and in what direction the template shifted to reflect the accuracy of the guns, wind drift, and so on.

 

Changes in the placement of the template off of the original point-of-aim, in turn, determined how many of the defender’s models were caught in the blast (and, therefore, could be blown to bits).


“This caused fist fights,” my oldest said. “People always argued about which models were and weren’t ‘in’ the blast zone. The nit-picking slowed everything down and made every game a slog.”


In the 8th edition of the game, my boys explained, the designers attempted to address player complaints about artillery fire rules. The template placement process was dragging down gameplay and made players furious. Therefore, in the new edition, the designers got rid of the templates entirely and simply had the defender’s entire unit targeted, then gave the attacker a much simpler die roll simulating through a “number of attacks” that affected the defender representing how many of the shells impactfully hit their target. [3] 

As a matter of practical necessity, war games must be simplified and abstracted if they’re to be played in less time than it takes to invade and occupy a real country.
As a matter of practical necessity, war games must be simplified and abstracted if they’re to be played in less time than it takes to invade and occupy a real country.

What made all this game lore important to me was how my boys lit up when they related how the game designers had clearly explained their intent: why they felt it was necessary, what it was intended to achieve, and how they anticipated their changes would positively affect gameplay. My boys felt like they were participating in a necessary process change rather than being forced to implement it. Even if they disagreed with some aspect of the new rules, they understood why the radical changes were necessary … and, therefore, felt a sense of obligation to comply. 


That is, I strongly believe, the right way to go about process change management. As much as I’d like to have hardback rule books that comprehensively articulate all core processes with their design logic, I’ve only ever found one company willing to let me publish such a thing. Failing that, I believe that us security human risk people need to invest the extra time and effort needed to explain major process changes when we train. 
For example, say your CISO decides that all admin passwords must contain at least one cuneiform character. Maybe the auditors will be satisfied once all personnel are told of the required change, but security and IT won’t consider the job done until all personnel comply with the new standard. The trouble is, just telling workers the new expectation won’t reliably motivate change; some users will instinctively push back. First, because it’s a change and changes are annoying. Second, because people reflexively question why a seemingly capricious and arbitrary complication is being forced on them. Why are the “security sadists” jerking them around?


A simple explanation delivered up-front will pre-empt the inevitable backlash. “We’re making this change to thwart a specific cybercrime syndicate that’s been targeting us. We know that their PCs don’t support cuneiform characters, so this change will make it nigh impossible to reproduce our passwords.” People might not believe the change will work, but they’ll understand the necessity driving it ... making them more likely to give it a shot. 

Pun intended. How could it not be? C’mon …
Pun intended. How could it not be? C’mon …

Explaining your logic and intent up-front not only disarms reflexive opposition, it also paves the way for making additional changes later … including roll-backs. If the cuneiform character password requirement in my silly example didn’t stop the baddies, then dropping that requirement a few months later won’t harm the security team’s credibility. “We tried a change. It didn’t work as well as we wanted, so we’re shifting to a new method.” People get that. They’re more likely to roll with the changes when they grok the process designer’s intent and when they feel included in the change effort rather than simply subject to it.
Remember that that the strategic goal of security human risk management is to improve individual and collective security behaviour. That means addressing how people feel, not just changing what they know. It’s a challenging and messy job, but it’s worth it in the long run for the positive effects it’ll have on your organisation’s security culture. Remember, good security comes from not just consistent individual compliance but a culture that expects and compels compliance peer-to-peer. 
Seriously, the best way to ensure required changes take hold across your entire organisation is to make key influencers and leaders understand why the changes are necessary, reasonable, and effective. Even reflexively grumpy people will get on board when the peers they know and trust buy-in to the new rules. 


[1] The Citadel is supposed to be the largest Warhammer store in North America. Dunno about that, but I can say confidently that it’s a friendly place with helpful staff, huge playing areas, and a good café. 
[2] I’m not interested in playing the game … certainly not in parting with the thousand or so bucks it’d take to get the plastic minis and paints and what-not that’s required to field an army. Still, I’ve made it a point to learn about my boys’ hobbies and to take an active interest in what’s important to them so as to validate and respect their choices … something my father never did with me growing up. 
[3] If I botched this, I apologize. This is what I took away from my boys’ explanation. 

Linked InTwitterFacebook
Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2025, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543