Security Awareness For Dummies. Ira Winkler

Чтение книги онлайн.

Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 13

Security Awareness For Dummies - Ira  Winkler

Скачать книгу

      IF YOU SEE SOMETHING, SAY SOMETHING

      The title of this sidebar represents one of the most effective counterterrorism campaigns ever, used by US authorities to encourage people to report suspicions that might be associated with terrorism. At the same time, if you consider this campaign, it represents why awareness is also a failure. Specifically, successes from the instruction “If you see something, say something” result from one person’s noticing and reporting certain behavior or an event that other people may or may not notice — and that fewer report.

      The campaign tries to reach as many people as possible to inspire one person to take action that others will not. Your awareness efforts aren’t measured by one person’s doing the right thing just one time, but by as many people as possible doing the right things consistently. This distinction is critical. Yes, inspiring one person to report problems that other people miss (or simply don’t report) is helpful, but your job is to significantly improve user behavior across the organization. As you check out this section, consider this context:

       Sciences and tools used in awareness are truly valuable only if they can consistently change behaviors across large numbers of users.

Many people confuse behavioral science with psychology. Likewise, they mistake organizational psychology for individual psychology. Psychology can be useful, but you have to understand its limitations. Psychology focuses on individuals, whereas you have to focus on impacting the organization. This is a numbers game. In Chapter 7, where I address a variety of communications tools, I generally recommend that you attempt to use as many as possible. The reason is that people will respond differently to various types of tools and messaging. You need to understand that some types of communications, such as an anime-style video, may intrigue some people and completely disenfranchise others. Though this statement seems obvious, it’s easy to forget when you have your personal preferences.

      Differentiating between marketing and awareness

      Marketing programs create a mental hook in getting people to understand desired actions, and they influence people to take those actions. “If you see something, say something” is a great example of a marketing campaign that produced some noticeable results. (See the previous sidebar, “If you see something, say something.”) Understand, however, that fundamental differences exist between the practical implementation of marketing programs and security awareness programs.

       Marketing addresses completely voluntary behaviors; awareness behaviors are an expected part of everyone’s job.

       Marketing success can be achieved by minimal increases in desired behaviors; awareness programs intend to inspire as much of the user population as possible to practice the behaviors.

       Marketing campaigns typically target specific segments of the population to change behaviors; awareness campaigns target as much of the user population as possible.

      Marketing is a comprehensive effort to understand and convince a targeted audience to perform a specific action voluntarily. Consider the key points of the preceding sentence: targeted audience and perform a specific action voluntarily. Advertising campaigns target very specific audiences because they need to address messaging specific to the audience. Even individual soda (or pop, or soda pop, depending on your region) ad campaigns target specific demographics. Those ad campaigns then attempt to inspire people from those demographics to voluntarily buy soda. Though soft drink companies want everyone to buy their sodas, they know which age groups and demographics are the prime targets of their products. For good reason, Mountain Dew advertisements frequently feature extreme sports, for example, and advertisements for tonic water usually feature older actors.

      You, on the other hand, are targeting your entire user base, which likely contains a multitude of demographics and job roles. Remember that the security practices you promote are must-do items and not should-do items. You’re not marketing a voluntary consumer purchase that they wouldn’t otherwise make. You’re ensuring that all users are aware of the expected behaviors that will keep your organization functioning properly while protecting the organization and its customers.

      Even more important, your goal is to have your users practice those behaviors. Marketing campaigns can usually declare success when they have single-digit percentage increases in their audience’s practicing the desired behaviors. For example, if a pizza delivery service can persuade 5 percent more people to order pizza during a football game, that might mean a 100 percent increase in sales — and the pizza seller is delighted. On the other hand, if you persuade only 5 percent of users to secure their workspace, it’s better than nothing — but you still have a massive security vulnerability.

      You can, however, make use of marketing principles by realizing the limitations of traditional marketing, when you realize that you need to target multiple audiences, and you will likely need to create multiple streams of communications with different messaging. More important, your messaging should be treated as critically as other serious messaging, such as sexual harassment and fraud prevention. Part 2 of this book covers methods to achieve consistent behavior change across various subcultures.

      This section is personal for me. I started working in the awareness field as a result of my performing social engineering simulations, and then companies inviting me to come in and present awareness programs that told people exactly how I messed over the company — so that people would know what to look for in the future. I entertained people with my stories that the Wall Street Journal referred to as “… alternating between hilarious and harrowing.” The stories were definitely memorable. When I would later go back to my targets to measure improvements, however, they were small at best.

      Consider that just because you can stab a person doesn’t mean that you can perform the surgery to repair the damage you caused. It’s unfortunately easy to physically harm a person with a knife; it takes infinitely more knowledge and skills to use a knife to save the person’s life. It’s a completely different skillset. Having performed social engineering for decades, I can state that it’s easy to trick a user into giving up information. It’s infinitely harder to train an entire population of users not to divulge information on a consistent basis. It’s likewise a completely different skillset.

      Social engineering is a broad term for nontechnical attacks to achieve, or support, attacks to access or otherwise target computers or information. Phishing is the most common example, but dumpster diving, shoulder surfing, and telephone pretext calling are also common social engineering attacks. The most iconic attacks are those where someone calls up a user and pretends to be from technical support to solicit

Скачать книгу