I love the new TV show \u201cScorpion\u201d, which depicts extreme geniuses Walter O\u2019Brien and his team solving high-risk crisis scenarios using nearly impossible solutions. As everyone should know, the real-life Walter O\u2019Brien, whose high IQ and comparable achievements spawned the basis for the TV drama actually identified the brother terrorists who were behind the Boston Marathon bombing, according to CBS, Boston.O\u2019Brien comes by his intellect naturally. Enterprises are still searching for manmade means to effectively spawn higher Security IQs among employees whose risky behavior welcomes attacks right in the door.[ Where to find security certifications ]How We Treat Low Security IQs TodayWhether you call it a low security IQ or a lack of awareness and discipline, employees make bad security choices. You can\u2019t get through a month now without hearing about another major corporate data breach. The kicker is that the low security IQs that adversely affect enterprise data also lead the enterprise.The Ponemon Institute recently surveyed more than 1,000 international enterprise employees, mostly senior-level people, about risky security behavior. The results are an unsettling trip down corporate \u201cDisturbia\u201d lane.According to the report, \u201cBreaking Bad: The Risk of Insecure File Sharing\u201d, half of surveyed participants indicated that they don\u2019t know whether their enterprise can manage and control user access to sensitive data or how employees share and distribute data. Sixty-one percent of those surveyed in the same report say they often share files via unencrypted email, don\u2019t follow policies that dictate when to delete confidential documents, and accidentally send files to people who the company has not authorized to have or view them.Perhaps the enterprise shouldn\u2019t promote those who click before they think, but being too harsh or expecting too much from employees does not help either. Taking a punitive approach to modifying risky employee behavior is a key challenge to success in raising security IQs. \u201cA punitive approach leads to counter reactions where employees become disengaged and don\u2019t want to be forthcoming when there is a security issue,\u201d says Scott Greaux, Vice President of Product Management, PhishMe.Equally oppressive is the tendency to overwhelm employees with too much information about security issues or with information they can\u2019t grasp. \u201cYou don\u2019t need to tell everyone everything or to have them be security experts. Simply make sure they understand the risks that they face,\u201d says Greaux.Solutions for Raising Security IQs \/ What Does It Take?To raise security IQs, security departments must be available, appreciative, and responsive as sounding boards for any security issues that an employee would even consider sharing. \u201cFor example, have a method by which users can forward a suspect email to a trusted party who can determine whether it is clean or malicious,\u201d says Rich Owen, CISO, American Traffic Solutions and Hall of Fame Member, the ISSA. These are opportunities to involve and engage employees, teach them, and help them sharpen their skills and judgment for spotting phishing and other attacks.Enterprises should reward their end-users for reporting suspicious emails; notify their boss that they are active in protecting the company. It\u2019s good for positive reinforcement and morale. \u201cEach month take the list of people who reported suspicious email and randomly select one or more for a $100 gift certificate,\u201d says Owen, who avoided $20 million in costs in the development of the Shuttle Systems security program for Mission Operations at Johnson Space Center, NASA.Owen\u2019s most effective reinforcements to achieve higher security IQs over time include: give a $100 gift certificate immediately to an employee who reports a significant security issue; take no action when an employee opens an infected link or document but reports it immediately; and, include following security standards and procedures in everyone\u2019s job description.Use What You HaveEnterprises should exercise their creative muscle to squeeze everything they can out of security measures and incumbent opportunities for reinforcing employee security consciousness. For example, while enterprises can use Data Loss Prevention (DLP) technology to simply monitor and block attempts to funnel data out of the organization, they are missing out on a great opportunity if that\u2019s all they do with it.\u201cI used DLP to monitor outgoing email, looking for unencrypted PII. The business monitored these events and flagged the ones we needed to closely examine. If an employee sent something they shouldn\u2019t have, we had a conversation with them and used it as a teaching opportunity, not as a means to get someone into trouble,\u201d says Michael Eisenberg, Global CISO emeritus, AON Plc.\u201cWe clarified with the employee whether they should have sent the information in an encrypted form and ensured they were aware of circumstances that require encryption. Employees were genuinely concerned during these discussions, which achieved strong behavior modification,\u201d says Eisenberg.AON Plc used DLP first to detect the number of instances of employees attempting to send unencrypted PII (Social Security numbers, for example) out of the enterprise. As the subsequent interventions and conversations lead to fewer instances, the company was able to gauge its progress and fine tune the conversations for increasing effectiveness. This was literally a definable metric for the state of security behavior and its decline or improvement.If you don\u2019t use DLP to teach people what you expect then you are doing them and yourselves a disservice.Michael Eisenberg, Global CISO emeritus, AON Plc\u201cAnyone can simply start blocking emails and never let employees know that they blocked their communications. The maturity play is to use DLP to understand the risks and address them with employees in the environment in order to make a difference,\u201d says Eisenberg; \u201cif you don\u2019t use DLP to teach people what you expect then you are doing them and yourselves a disservice.\u201dSim Tools RuleEnterprises should use tools that educate about specific, high-risk employee behavior. Opening phishing emails is one of the most high-risk employee behaviors. There is a tool called PhishMe, which enables an enterprise to send a harmless phishing email to employees to determine what is the end-user susceptibility to this kind of trap. (Similar threat simulation tools include ThreatSim and tools from Wombat Security Technologies including PhishGuru, SmishGuru, and USBGuru.)\u201cThen you can let them know that they have fallen for a mock phishing attempt. It makes them think twice about opening those emails,\u201d says Eisenberg; \u201cas much as we educate people, a lot of them don\u2019t know about phishing.\u201d The enterprise must include specialized education about phishing for executives and engage them as well. \u201cIt\u2019s easy to locate and target executives whose names are on public websites. LinkedIn has made it easy for hackers to perform reconnaissance of the enterprise,\u201d says Eisenberg.Make It PersonalSelect people from among employees to become security champions. Empower them to help their peers in the environment. Recognize employee success, both in roles as champions and as advocates of security. Use games and contests to reinforce methods for securing the environment. Enable employees to submit ideas and methods to improve processes and behaviors for good security practices.\u201cHelp people with something they are concerned about in their personal lives. Share a one-pager with several methods to protect their credit card information at home and throughout their lives. The goal is to establish protection for their personal information, but it all applies to the organization as well. Build that win-win approach into the colleague community,\u201d says Eisenberg.By learning to stimulate what drives people and to harness that drive, any enterprise can sharply curb bad security habits.