Ira Winkler - Security Awareness For Dummies

If you need to provide more detailed information than you can provide in a given communications medium, you might want to link to or refer to a more detailed information source, such as the knowledgebase I describe in Chapter 7. This way, you can provide your intended message and ensure that common knowledge is available.

Perhaps one of the most valuable sciences an awareness professional can research is safety science. To put it simply, safety science intends to prevent workplace injuries. Workplace injuries create tangible loss to an organization. Organizations must deal with not only the immediate cost of treating the injury but also lost productivity, medical costs, potential lawsuits, legal penalties, regulatory penalties, increased insurance costs, and other losses. Depending on the industry, operations may cease if an injury occurs.

Clear costs are associated with workplace injuries, so specific cost savings are generally easy to attribute to efforts that prevent them. Extensive resources, with sponsorship from top executives, are understandably put toward safety efforts. There is also the potential for regulatory requirements to drive executives harder. Security awareness efforts, on the other hand, provide benefits that can be more difficult to measure. When a user makes an error related to security, they may not injure themselves, but they can definitely cause damage to the organization. So safety science has to be adopted to cybersecurity practices.

A critical philosophy adopted in safety science says that if an employee injures themselves, it’s a failure of the entire system. The idea is that a user should never be in a position where they can injure themselves, and even if they are injured, the extent of the injury should be minimized.

Safety science identifies these three phases to an injury:

The environment that puts a user in a position where they can injure themselves

The action that creates the injury

The response to the injury

Safety experts first focus on creating a workplace that is less likely to cause an injury. For example, I spoke to the safety manager at a manufacturing company where I was creating an awareness program, who told me that the company had problems with forklifts hitting employees inside a warehouse. After studying a variety of alternatives, company leaders decided on the simple act of painting yellow lines down the aisles of the warehouse. Employees were to walk on one side, and forklifts were to stay on the other side. This strategy stopped approximately 90 percent of accidents involving forklifts.

Because you can never completely remove the possibility of injury, you must consider that users will be in a position to injure themselves. Safety science then studies the role of awareness, as well as what IT professionals call the user experience. If a user is operating a piece of equipment that is too big for them, for example, they can injure themselves. Likewise, if the user doesn’t know how to properly use the equipment, they can injure themselves. Even if the user does know what to do, they might not do it as intended.

As I discuss in Chapter 1, you have to work with other teams to create a resilient environment, and when you know your environment, you can train people how best to use it.

Just because a user is aware of what to do doesn’t mean that they will do it. They may not have mastered the information. They might know what to do and not have motivation to do it. They might want to implement the awareness information, but they might be in a rush and take shortcuts. For many reasons, even an aware user might not follow awareness guidance.

Even with the best awareness, someone will injure themselves. You therefore need to put in place an environment that expects an injury and attempts to reduce its severity. This includes ensuring that first aid kits are in place, along with properly trained first responders, the ability to shut down operations if required, and other procedures. This also includes a post mortem (a post-incident review) of the injury to examine how similar injuries can be prevented in the future.

The root of the problem is not that a user takes an unaware action but rather that the user actions create damage. Safety science looks at the process holistically.

Though someone should address safety problems in a cohesive way, awareness professionals seek only to create better implemented awareness programs. Understanding how your work as an awareness professional fits in with the overall loss reduction program is important. You can then work with the other security teams to coordinate your efforts and tailor your efforts to fit within their efforts.

A proper accounting program protects an organization from financial loss. Accountants study financial processes and determine where losses can occur and how to control them through processes.

In much the same way as safety scientists figure out how a person comes into the position of a potential injury and proactively tries to remove that potential, accountants try to put processes in place to proactively remove the opportunity for financial errors. This involves proactively tracking financial and tangible resources. It means that there is categorization of all resources. This is why there are so many annoying processes apparently in place in many businesses.

Likewise, a person has to endure many processes when they’re in the middle of a financial transaction, and follow detailed operational guidelines for how transactions are to be performed. For example, when I travel and have to file an expense report, I have to meet specific requirements for the level of documentation required. In some cases, I can just ask for a flat amount for all meals. In other organizations, I have to categorize every expense I want to be reimbursed for and then provide a receipt for any charge. In one case, I left out the receipt for a $4.53 Frappuccino, and the complete expense report claiming more than $3,000 was rejected until I could find the receipt.

Though I of course cursed the accounting department, I recognize that they’re just following the rules. Those rules were put in place because of the historical fraud that occurs whenever people submit fraudulent expenses. Clearly in this case, the organization expended more in lost labor costs between my time to redo the expense report and the time spent by someone in the accounting department to review the report thoroughly — twice. However, the processes were put in place to prevent what could become a large amount of fraud in aggregate.

Similarly, time tracking is critical for paying employees inside organizations. If people don’t properly enter and certify hours worked, they may not be paid. Therefore, people enter their information accurately and timely.

Note how nobody argues about most accounting processes. Nobody argues that it’s unfair to the user to not pay them if they don’t complete the time card properly. Nobody argued on my behalf for my organization to pay my travel expenses without the required documentation. Essentially, these accounting practices are a must-do item, not a should-do item. When you want cybersecurity practices to be a must-do and enforceable, you can use these examples that the organization already penalizes employees for not following other critical processes.