Last month, a story ran on Dark Reading around why security awareness is useless. I cringe reading such stories because I believe that one fundamental problem of security people is our inability to make security relevant to everyday folks. I want to hammer at the one of the key problems with security awareness training, which is a lack of engagement and the mis-understanding of company culture.
Awareness should engage security
Security Awareness programs remind me of Neighborhood Watch programs where we bond together to create a safer community. Can one hardware product or system guard you from all security threats? It’s just as unlikely that no one person can defend the entire neighborhood. We know through neighborhood watch programs that they provide community for us to help each other and get engaged. In a nutshell, working together to increase the safety of our neighborhoods that one of us alone couldn’t do. This should be the aim of awareness programs.
I have taught the basics of web application security to Fortune listed companies and to see the eyes of my students open up when demonstrating a basic SQL injection is a great “ah-ha” moment. The value in being aware of the possibilities and grasping the business risks posed by hackers was the real takeaway for these students. Engagement in security is something I feel is the missing link in making security succeed and good education programs are the most effective way to help build a good community around that. This isn’t about checklist items, this is about engaging a culture.
Your security awareness training programs should not be lists of what a user should not do. Instead, if you are developing your own program, try using action mapping as described by eLearning coach Cathy Moore, to ensure that the proper context is given to the student to understand why or how they can end up in bad situations. For instance, instead of telling them Don’t set weak passwords, help them understand the consequences to setting a weak password and how other organizations have been affected. This hits much closer to home.
Teach your teams why its important to your company to do the right thing and how it’s the little precautions that can make big differences. The goal is to help everyday people understand the value of thinking twice before they pose open a vulnerability to your organization. To think twice before they share sensitive documents, click on strange emails, or click through clearly written warnings.
People are often the weakest link and the problem is understanding how to make security matter to your company culture. InformationWeek discovered in their 2012 Strategic Security survey that most organization found awareness training a close second when it came to overall value for money.
[caption id=”” align=”alignnone” width=”468"]
source: Information Week 2012 Strategic Security Survey[/caption]
Unwritten rules of the game
You can’t play baseball without knowing the rules but even once you know the rules, there are unwritten rules that make the game more effective. Security is similar where we have rules people must follow to safeguard our organizations and computer controls act as our umpires, regulating and penalizing as users try to set weak passwords.
But in security, there are also unwritten rules that require human intuition and engagement. Things that our controls might not catch or be able to enforce, but make our organization safer and more effective. This is the subset of problems that awareness can help address and acts as a defense in depth approach.
You might think that I have a vested interest in promoting awareness training but the truth is that I want to help provide teams with the tools required to help make security successful in all organizations through engagement. To do this, you have to understand your company culture and how best to promote security training as a defense in depth strategy that flows throughout your company.
It is unlikely that we’ll be able to develop a definite set of IT controls to stop attacks such as the Coca-Cola phishing attack or even the RSA phishing attack. Both were attacks against humans where we can’t say definitively controls or awareness would have prevented. Awareness programs can be engaging ways to educate staff around why a simple act of clicking an attachment isn’t about viruses or trojans, but more about opening the door to future attacks and learning about how others have been affected. It’s debatable but I stand on the side of bringing people together to promote and encourage security and that I believe, is very useful.