Ira Winkler - Security Awareness For Dummies

Here are three of the critical differences between marketing and awareness:

Marketing addresses completely voluntary behaviors; awareness behaviors are an expected part of everyone’s job.

Marketing success can be achieved by minimal increases in desired behaviors; awareness programs intend to inspire as much of the user population as possible to practice the behaviors.

Marketing campaigns typically target specific segments of the population to change behaviors; awareness campaigns target as much of the user population as possible.

Marketing is a comprehensive effort to understand and convince a targeted audience to perform a specific action voluntarily. Consider the key points of the preceding sentence: targeted audience and perform a specific action voluntarily. Advertising campaigns target very specific audiences because they need to address messaging specific to the audience. Even individual soda (or pop, or soda pop, depending on your region) ad campaigns target specific demographics. Those ad campaigns then attempt to inspire people from those demographics to voluntarily buy soda. Though soft drink companies want everyone to buy their sodas, they know which age groups and demographics are the prime targets of their products. For good reason, Mountain Dew advertisements frequently feature extreme sports, for example, and advertisements for tonic water usually feature older actors.

You, on the other hand, are targeting your entire user base, which likely contains a multitude of demographics and job roles. Remember that the security practices you promote are must-do items and not should-do items. You’re not marketing a voluntary consumer purchase that they wouldn’t otherwise make. You’re ensuring that all users are aware of the expected behaviors that will keep your organization functioning properly while protecting the organization and its customers.

Even more important, your goal is to have your users practice those behaviors. Marketing campaigns can usually declare success when they have single-digit percentage increases in their audience’s practicing the desired behaviors. For example, if a pizza delivery service can persuade 5 percent more people to order pizza during a football game, that might mean a 100 percent increase in sales — and the pizza seller is delighted. On the other hand, if you persuade only 5 percent of users to secure their workspace, it’s better than nothing — but you still have a massive security vulnerability.

Even the campaign advocating “If you see something, say something” hopes that they can inspire a small percentage of people to become more aware in reporting security exposures, in the hope that prodding one person out of hundreds to report something might prevent a major incident. Awareness programs need to create behaviors that are consistent across the organization. Again, though some aspects of marketing and advertising have applicability, such as understanding the best ways to communicate with your audience, you need to understand that, unlike in traditional marketing campaigns, you’re addressing multiple audiences, with a message that should not be treated as trivially as choosing Pepsi over Coke.

You can, however, make use of marketing principles by realizing the limitations of traditional marketing, when you realize that you need to target multiple audiences, and you will likely need to create multiple streams of communications with different messaging. More important, your messaging should be treated as critically as other serious messaging, such as sexual harassment and fraud prevention. Part 2of this book covers methods to achieve consistent behavior change across various subcultures.

This section is personal for me. I started working in the awareness field as a result of my performing social engineering simulations, and then companies inviting me to come in and present awareness programs that told people exactly how I messed over the company — so that people would know what to look for in the future. I entertained people with my stories that the Wall Street Journal referred to as “… alternating between hilarious and harrowing.” The stories were definitely memorable. When I would later go back to my targets to measure improvements, however, they were small at best.

Consider that just because you can stab a person doesn’t mean that you can perform the surgery to repair the damage you caused. It’s unfortunately easy to physically harm a person with a knife; it takes infinitely more knowledge and skills to use a knife to save the person’s life. It’s a completely different skillset. Having performed social engineering for decades, I can state that it’s easy to trick a user into giving up information. It’s infinitely harder to train an entire population of users not to divulge information on a consistent basis. It’s likewise a completely different skillset.

Social engineering is a broad term for nontechnical attacks to achieve, or support, attacks to access or otherwise target computers or information. Phishing is the most common example, but dumpster diving, shoulder surfing, and telephone pretext calling are also common social engineering attacks. The most iconic attacks are those where someone calls up a user and pretends to be from technical support to solicit their password.

To be good at what they do, social engineers essentially know how to be good liars. They know how to perform transactional influence. They manipulate a user to do a one-time act that they should not otherwise do.

Social engineering requires a skillset that’s completely different from the one for awareness. A social engineer has to find one trick of influence at one given point in time to succeed. An awareness professional, however, has to create consistent behaviors on the part of users with whom they may never have a personal interaction. A social engineer might find holes that need to be fixed, but using an analogy, fixing a hole in a dam doesn’t strengthen the dam as a whole.

Providing information showing that the threat is possible makes the information a bit more memorable, so users can remember it for a few more weeks. This can be valuable to increasing the Forgetting Curve, which is discussed in Chapter 3.

Though social engineers don’t necessarily have transferrable skills for designing an awareness program, social engineering tests can be a useful way to gather metrics. Social engineering, when performed properly, can determine how people will actually perform when faced with a potential attack. However, don’t fall into the trap of believing that social engineers are competent awareness professionals by default. Awareness is much more than telling people what tricks not to fall for. It’s telling people how to behave properly on a consistent basis.

“Hackers are unstoppable geniuses.”

“There may be computer crimes, but it won’t happen to me.”

“I am too unimportant to be a target.”

These statements represent common mental models that I deal with in security awareness programs, and these mental models are both harmful and wrong.

Mental models reflect the way a person perceives their environment. For example, in most countries, the hot water faucet is on the left and the cold water faucet is on the right. Red usually means something bad or to stop, and green means safe or to go. When I visit a US airport, I expect that flights on a monitor will be listed alphabetically by destination. When I am in Europe or Asia, I generally need to know the departure time before I look on a monitor to find my gate. I can usually pick up a TV remote control and figure out how to turn on and use any TV. You might naturally assume that working with mental models with regard to security awareness would also be useful, but this isn’t the case.