Ira Winkler - Security Awareness For Dummies

For example, a user can click on a phishing message only if the antiphishing technology used by your organization fails to filter the message. If the user clicks on a phishing message and ransomware is activated, the ransomware can destroy the system only if the user has permission to install software on the system — and then in almost all cases, you have no standard antimalware on the system.

User error is a symptom of the problems with your system. Even if a user makes a mistake, or is even malicious, the resulting loss is a problem with the system providing users with potential actions and then enabling the loss.

In essence, users may initiate a chain of actions that create the loss, but the loss is a result of failings in the system as a whole.

Unfortunately, there is little consistency in what is perceived to be a sufficient, organizational security awareness program. Some organizations just have users, or employees, sign a document. Many other awareness programs require employees to read the document once a year (or, increasingly, watch a video).

At the other end of the spectrum, when I started at the National Security Agency (NSA), my security awareness training actually began long before I started working there. After I passed the initial aptitude test, I was sent information to arrange for an interview. During that interview was a conversation about the special security considerations of working for the NSA. I was prepared for what would be involved in obtaining a top secret clearance, as well as the need not to discuss my potential employment. I was then invited to visit the NSA headquarters for further interviews.

My travel packet included a basic discussion of security requirements. Upon arrival, I was provided with another security briefing related to how to get into, and then behave within, the facilities. I met with counterintelligence officers, who provided a general overview of security requirements and then administered a polygraph exam. I also took a battery of psychological tests. During the technical interviews, I met with professionals who also discussed the job expectations, including the expected security-related behaviors. The NSA is a special case, of course — most organizations don’t engage in such rigorous screening practices.

The goal of a security awareness program is to improve security-related behaviors. The goal is not to simply make people aware of an issue — the goal is to inspire people to behave appropriately to avoid the initiation of a loss and, ideally, to detect and respond to the potential for loss. Whether people understand how their actions promote security is secondary because the goal of an awareness program is to change behaviors, not just impart knowledge.

When I started working at the NSA, I took a 3-day security awareness class. Security awareness posters were hung on walls all over the buildings. Applicants received security newsletters and attended regular security-related presentations. These awareness tools were generally unnecessary, however. All I had to do to see how to behave was behave like everyone else. Everyone wore their badges, so I wore my badge. Everyone lined up to have their belongings inspected on the way out of the buildings. In essence, the entire culture was the awareness program. People lost their jobs because of security violations. I am not saying the NSA was perfect, because it clearly had some major failings, but for all the potential risk, the NSA experienced relatively little loss.

Clearly, few organizations in the world have the type of awareness program that the NSA has. Unlike organizations that prioritize profits, branding, and other deliverables, the NSA focuses on security. Security is the NSA brand.

A good security awareness program intends to change and improve security-related behaviors. You can incorporate many tools into an awareness plan to create that change. Chapter 7defines a variety of tools that you can incorporate into your program. Some tools are more popular than others; however, no tool is absolutely required. The choice depends on your needs. At the end of the day, a security awareness program is essentially a set of tools, techniques, and measurements intended to improve security-related behaviors.

The ultimate goal of a security awareness program is to change and improve security-related behaviors. Security programs are created to reduce loss. As an essential part of an organization’s overall information security program, security awareness should likewise reduce loss.

In Chapter 8, I discuss some metrics you can use to judge whether your awareness program successfully reduces loss. Many security awareness professionals talk about the likeability of their tools, the number of people who show up to their events, and the quality of their posters. These metrics and general impressions are nice to know, but they’re relatively useless from a practical perspective.

A metric demonstrating that you’re changing behaviors in a way that reduces loss, or preferably improves efficiency and makes the organization money, is the most useful metric to show that you’re producing value. This isn’t to say that it’s the only possible benefit of a security awareness program. Awareness programs also often provide intangible benefits to the organization. These benefits include protecting the organization from damage to its reputation, illustrating that the organization is committed to security, generating excitement and engagement among employees, and reassuring customers that your organization is actively protecting them.

If your goal is to contribute to your organization’s security effort, you must identify the benefits your program will bring to the organization. These benefits can’t be that the program merely provides information. The program should improve behaviors. You must be able to show how the program returns clear value to your organization, and this value should ideally return clear value to the bottom line.

I developed a philosophy during my career in cybersecurity:

You don’t get the budget you need — you get the budget you deserve.

Security awareness teams typically compete against other teams for budget funds and other resources. For example, the team may work under the cybersecurity, human resources (HR), compliance, legal, physical security, or another department within the organization. All these teams compete for funding and other resources. Even if your cybersecurity program has sufficient resources to fully fund all teams, including the awareness program, you have to show that you deserve the budget amount you’re requesting. You need to financially justify your efforts.

You can have plans for the best awareness program in the industry, but if you cannot demonstrate that you deserve the appropriate budget, you won’t get the budget you need to implement it. Chapter 8details how to collect metrics that help you show that you deserve what you need.

For your awareness program to help create desired behaviors, the program must show people the proper way to perform job tasks, or “do things right.” In other words, you provide instructions on how to do things properly by default.