Ira Winkler - Security Awareness For Dummies

Awareness professionals naturally want to believe that if they inform a person about an obvious concern, that person will take appropriate action, just by virtue of having received the information. In my experience, this assumption too often proves incorrect. Gaining compliance requires much more effort than simply relaying information. You need a detailed strategy, specific to your circumstances, that involves enforcement and creating a culture where everyone implements the expected behavior by second nature as part of their normal job function. (I discuss these strategies in detail in Part 2of this book.)

Consider how this dynamic plays out in the rest of your life. Most people know that eating healthy foods and exercising can improve their health. In some cases, they even know that they can face dire medical consequences if they refuse to eat well. Yet they continue to ignore the advice. Relating this example to security awareness, the trick is to ask people to do a few simple things differently that will reduce an organization’s risk profile hugely and quickly, not make them into security experts.

BJ Fogg, a Stanford University researcher, developed many highly accepted concepts of human behavior. One of those behavioral concepts is the information-action fallacy, which is the belief that if you tell a person what they should do, why they should do it, and how it directly benefits them, they will do it. Just as this strategy doesn’t work in fitness, neither does it work with security awareness, where the implications are less dire for the individual.

When you implement your awareness program, you must dispel any belief on the part of yourself and the security team that, just because you inform people of an apparently critical issue, they will follow your guidance.

The compliance budget concept highlights how employees at work have a variety of requirements placed on them and their time. They have to balance how much time they use to satisfy various required tasks. The compliance budget accepts that users may well understand the importance of good security practices. It also acknowledges that users may consider other concerns to be equally or more critical. The more embedded security practices are within a job function, the more likely the practices will be implemented.

For example, if a user is running late to a critical client meeting, even if they know that securing the workspace is important, will they run even more late to the meeting to secure their computer and lock away sensitive documents? How do they determine which correct action takes priority? If you portray the security practices in your awareness program as a should-do item, you allow the user to ignore your guidance in favor of more apparently pressing issues. If your guidance is defined as a must-do item, however, it’s much more likely to be followed and implemented.

Users are typically balancing a variety of concerns, both personal and work related, and you need to consider how you’re presenting your materials with regard to positioning security awareness, among all the other daily concerns across their work and personal lives. This is where nudges and other properly placed security reminders, as discussed in Chapter 7, can have an impact on diligent users.

This section is probably the most controversial one in this book, as I take on a lot of popular concepts that I consider specious. When I read articles written by seemingly well-meaning security awareness experts, I see them quote scientific studies on psychology and marketing, among other areas, and I hear terms like mental models thrown around. These studies present ideas that seem important, but at the end of the day, I consider these ideas not practical to improve behaviors across an entire organization. I’m not saying that they’re irrelevant, but the focus on these sciences appears to be misplaced (as I discuss in the next section).

Yes, psychology can be a useful subject, and it defines the personality types of various people. At one level, by understanding various personality types, you should be able to understand the diverse thinking among your target audience. However, to properly implement psychology as a science as a fundamental part of your awareness program, it involves developing awareness targeted to individual personality types.

Consider that there is no single form of psychology. Consider that a psychologist works with each individual in a way that satisfies that person’s individual needs. Just as some techniques work better than others for various types of psychological problems and personalities, it’s the same for awareness.

The title of this sidebar represents one of the most effective counterterrorism campaigns ever, used by US authorities to encourage people to report suspicions that might be associated with terrorism. At the same time, if you consider this campaign, it represents why awareness is also a failure. Specifically, successes from the instruction “If you see something, say something” result from one person’s noticing and reporting certain behavior or an event that other people may or may not notice — and that fewer report.

The campaign tries to reach as many people as possible to inspire one person to take action that others will not. Your awareness efforts aren’t measured by one person’s doing the right thing just one time, but by as many people as possible doing the right things consistently. This distinction is critical. Yes, inspiring one person to report problems that other people miss (or simply don’t report) is helpful, but your job is to significantly improve user behavior across the organization. As you check out this section, consider this context:

Sciences and tools used in awareness are truly valuable only if they can consistently change behaviors across large numbers of users.

Many people confuse behavioral science with psychology. Likewise, they mistake organizational psychology for individual psychology. Psychology can be useful, but you have to understand its limitations. Psychology focuses on individuals, whereas you have to focus on impacting the organization. This is a numbers game. In Chapter 7, where I address a variety of communications tools, I generally recommend that you attempt to use as many as possible. The reason is that people will respond differently to various types of tools and messaging. You need to understand that some types of communications, such as an anime-style video, may intrigue some people and completely disenfranchise others. Though this statement seems obvious, it’s easy to forget when you have your personal preferences.

Marketing programs create a mental hook in getting people to understand desired actions, and they influence people to take those actions. “If you see something, say something” is a great example of a marketing campaign that produced some noticeable results. (See the previous sidebar, “If you see something, say something.”) Understand, however, that fundamental differences exist between the practical implementation of marketing programs and security awareness programs.