Ira Winkler - Security Awareness For Dummies

People’s mental models regarding cybersecurity are both inconsistent and frequently wrong. This causes them to make bad decisions. Most computer criminals are opportunists who take advantage of bad cyberhygiene (basic computer practices), such as not installing antimalware software or not performing backups.

Your goal is first to understand the current mental models that serve as a barrier to positive security behaviors within your user base. Then you must create correct mental models to replace them with. You need to instill strong security practices as a habit.

If your users believe that hackers are unstoppable geniuses, you need to talk about how they are frequently caught and how someone in your organization thwarted attacks by practicing what you preach. If they believe it will never happen to them, talk about how the organization suffered attacks. Show people how theoretically unimportant targets were used to gain access to other parties. You need to understand and dispel the harmful mental models, not try to adopt them to your needs.

Chapter 5discusses getting to know the users, which includes how they perceive security concerns. When you can understand how mental models are failing security awareness efforts, you can start to address them head-on and begin to change perceptions.

Perhaps the greatest form of self-sabotage you can commit as a security awareness professional is to overpromise what your program can deliver. For example, telling management to expect a human firewall to work — that your users will be both your first and last line of defense — sets you up for failure.

In the first place, nobody will believe you. Because no experienced security professional would expect perfection, you lose at least some of the credibility you may have had from the start. Then, the first time you have an inevitable security incident, the occurrence chips away at your remaining credibility.

As I discuss in Chapter 3, the goal of a security program is risk management. A competent CISO doesn’t promise perfect security. They say that they’re working to manage the organization’s risk by implementing a security program. They don’t promise to defeat bad people. They don’t promise that incidents will never happen. They essentially say that they will reduce loss.

Focus any and all claims you might make to be reasonable and based on the potential for risk reduction. To perform risk reduction, you must gather data and make reasonable and defensible claims of potential loss reduction.

You should always collect metrics before you start rolling out an awareness program. These metrics are commonly referred to as Day 0 metrics, and serve to show the value you create.

Even if you want to strive for perfection, you need to figure out where you are beginning. Too many awareness practitioners start their programs without figuring out how to judge their success. With awareness, it’s easy to see failure — but almost impossible to see success without proactively looking for it.

With all business processes, there has to be definition of success — and that is in the form of some metrics. I talk about various types of metrics in Chapter 8, but for now you need to understand that without knowing where you’re starting from, you may never know the level of success you have.

Even in the absence of perfection, by collecting metrics throughout the lifecycle of your program, you can demonstrate the real value you return.

When people think of security awareness programs, often the first things that come to mind are computer-based training (CBT) and phishing simulations. When implementing a program, the person responsible for a security awareness program typically chooses a vendor and then determines which of the vendor’s products to use. Awareness programs should be a strategy for effectively addressing the risk associated with user actions. Products are potential tactics, which may or may not address a piece of a strategy. Though some tactics are common, they are not a strategy to address user risk. If you want a program instead of a product, there has to be more than just a choice of which products to roll out.

Consider what you would say, when asked about a technical security program, if a security engineer said they were buying a firewall and antimalware. Clearly, both of those products are required, but they don’t make for a complete security program, because attackers can bypass these products or find flaws in the implementation of the products. They leave too many other vulnerabilities addressed, even if they individually function perfectly.

With awareness, focusing solely on implementing products is also an incomplete approach. You need to determine how to roll out the entire program. You need to identify the components of the program and its metrics, the organization’s subcultures, and more. As mentioned previously in this chapter, if you’re incomplete in how you implement an awareness program, you will reach only a small population of users and in ways that may not impact them. Part 2of this book covers the appropriate process.

If a system exists to simplify implementation of phishing and CBT, it represents the implementation of products and not the implementation of a comprehensive awareness program. If your goal is just to implement a Check-the-Box awareness program, however, product implementation is likely all you need.

When I worked for the NSA, it was clear that any mishandling of sensitive information could result in an employee’s termination and, potentially, prison. The NSA allowed some gimmicks and creativity as part of its security awareness efforts, but providing entertainment definitely wasn’t a priority. We employees didn’t watch comical videos. We didn’t play games where we sat around and won prizes if we guessed the amount of prison time we might earn. Violations are serious offenses and were portrayed as such.

Entertainment has its place. Contests are useful for engagement. Humor can enhance engagement. Giveaways are fun and can provide reminders of awareness messages. But the purpose of a security awareness program is to change and improve security-related behaviors. Your efforts should focus on those efforts and formats that contribute to behavior change.

Though you want material that is engaging, you can walk a fine line between engaging and trivializing. Humor, when used appropriately, can enhance learning. Avoid using humor for serious subjects, however. You don’t see humorous videos regarding sexual harassment. Humor can trivialize an otherwise important concept, and you need to ensure that people understand that strong security behaviors can prevent significant loss.

Unfortunately, I have seen many awareness efforts that lead with humor. The users like it, if it’s done well; however, it doesn’t mean that it has the desired impact, which is to change behaviors. You don’t want to bore the audience, but you do want them to take your lessons seriously and apply the information.

There’s nothing wrong with telling people sometimes that they have to do something because they simply have to do it. You’re paying them to perform a function. In other departments, such as accounting and human resources, people know that they might be fired or that they won’t get paid if they fail to do certain things, such as properly fill out a time card. You can do the same with security responsibilities.