Security Awareness For Dummies. Ira Winkler
Чтение книги онлайн.
Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 16
People within an organization generally assume that what is common sense for them is common sense for everyone. But within the group, people often lack the common knowledge required to share common sense understanding.
Common sense is based on common knowledge. You can’t have common sense without first establishing common knowledge.
In cybersecurity, people without a technical background definitely lack the knowledge that people within the IT or security professions possess. You need to account for this fact when building your assumptions. You must understand where common knowledge does (and does not) exist among the individuals within the group whose behavior you want to influence.
When you approach the design of your awareness programs, ask yourself, “Is this fact or idea common knowledge, and should it be?”
Be sure to consider whether users lack the common knowledge required to act on your recommendations. Security awareness programs often tell users to create strong passwords, for example, or to check the identity of the sender for the email messages they receive. Even though most awareness communications require concise messaging, you must consider whether you must back up such guidance with instruction. If users don’t know how to create a strong password or how to adequately verify the identity of an email’s sender, the higher-level guidance is worthless. You must establish a base of common knowledge before you can require the common sense behavior.
Company leaders sometimes assume that technical workers, including security team members, have more common sense than the average users. In my experience, this assumption is often incorrect. A common tactic used by cyberthieves, for example, is to pretend to be another person, call an organization’s Help desk, and persuade an unwitting Help desk representative to reset that person’s password. As a test, I have personally convinced a Help desk rep within one of my targeted companies to send me a new computer during a social engineering exercise. During physical penetration tests, I frequently just walk into the security office and persuade the employees to issue me an actual facility badge.
Unless you know that a person in a given job function receives fundamental training that enables them to act on your guidance, you should assume that they lack the necessary common knowledge. This assumption should be embedded in every aspect of your awareness program, where you consider whether users have the underlying knowledge to enact the information you provide. You probably can’t include every basic concept into awareness materials, but you need to design your messaging to accommodate a lack of common knowledge.
If you need to provide more detailed information than you can provide in a given communications medium, you might want to link to or refer to a more detailed information source, such as the knowledgebase I describe in Chapter 7. This way, you can provide your intended message and ensure that common knowledge is available.
Borrowing Ideas from Safety Science
Perhaps one of the most valuable sciences an awareness professional can research is safety science. To put it simply, safety science intends to prevent workplace injuries. Workplace injuries create tangible loss to an organization. Organizations must deal with not only the immediate cost of treating the injury but also lost productivity, medical costs, potential lawsuits, legal penalties, regulatory penalties, increased insurance costs, and other losses. Depending on the industry, operations may cease if an injury occurs.
Clear costs are associated with workplace injuries, so specific cost savings are generally easy to attribute to efforts that prevent them. Extensive resources, with sponsorship from top executives, are understandably put toward safety efforts. There is also the potential for regulatory requirements to drive executives harder. Security awareness efforts, on the other hand, provide benefits that can be more difficult to measure. When a user makes an error related to security, they may not injure themselves, but they can definitely cause damage to the organization. So safety science has to be adopted to cybersecurity practices.
Recognizing incidents as system failures
A critical philosophy adopted in safety science says that if an employee injures themselves, it’s a failure of the entire system. The idea is that a user should never be in a position where they can injure themselves, and even if they are injured, the extent of the injury should be minimized.
Safety science identifies these three phases to an injury:
The environment that puts a user in a position where they can injure themselves
The action that creates the injury
The response to the injury
Safety experts first focus on creating a workplace that is less likely to cause an injury. For example, I spoke to the safety manager at a manufacturing company where I was creating an awareness program, who told me that the company had problems with forklifts hitting employees inside a warehouse. After studying a variety of alternatives, company leaders decided on the simple act of painting yellow lines down the aisles of the warehouse. Employees were to walk on one side, and forklifts were to stay on the other side. This strategy stopped approximately 90 percent of accidents involving forklifts.
Because you can never completely remove the possibility of injury, you must consider that users will be in a position to injure themselves. Safety science then studies the role of awareness, as well as what IT professionals call the user experience. If a user is operating a piece of equipment that is too big for them, for example, they can injure themselves. Likewise, if the user doesn’t know how to properly use the equipment, they can injure themselves. Even if the user does know what to do, they might not do it as intended.
As I discuss in Chapter 1, you have to work with other teams to create a resilient environment, and when you know your environment, you can train people how best to use it.
Just because a user is aware of what to do doesn’t mean that they will do it. They may not have mastered the information. They might know what to do and not have motivation to do it. They might want to implement the awareness information, but they might be in a rush and take shortcuts. For many reasons, even an aware user might not follow awareness guidance.
Responding to incidents
Even with the best awareness, someone will injure themselves. You therefore need to put in place an environment that expects an injury and attempts to reduce its severity. This includes ensuring that first aid kits are in place, along with properly trained first responders, the