if required, and other procedures. This also includes a post mortem (a post-incident review) of the injury to examine how similar injuries can be prevented in the future.
The root of the problem is not that a user takes an unaware action but rather that the user actions create damage. Safety science looks at the process holistically.
Applying Accounting Practices to Security Awareness
A proper accounting program protects an organization from financial loss. Accountants study financial processes and determine where losses can occur and how to control them through processes.
In much the same way as safety scientists figure out how a person comes into the position of a potential injury and proactively tries to remove that potential, accountants try to put processes in place to proactively remove the opportunity for financial errors. This involves proactively tracking financial and tangible resources. It means that there is categorization of all resources. This is why there are so many annoying processes apparently in place in many businesses.
Likewise, a person has to endure many processes when they’re in the middle of a financial transaction, and follow detailed operational guidelines for how transactions are to be performed. For example, when I travel and have to file an expense report, I have to meet specific requirements for the level of documentation required. In some cases, I can just ask for a flat amount for all meals. In other organizations, I have to categorize every expense I want to be reimbursed for and then provide a receipt for any charge. In one case, I left out the receipt for a $4.53 Frappuccino, and the complete expense report claiming more than $3,000 was rejected until I could find the receipt.
Though I of course cursed the accounting department, I recognize that they’re just following the rules. Those rules were put in place because of the historical fraud that occurs whenever people submit fraudulent expenses. Clearly in this case, the organization expended more in lost labor costs between my time to redo the expense report and the time spent by someone in the accounting department to review the report thoroughly — twice. However, the processes were put in place to prevent what could become a large amount of fraud in aggregate.
Similarly, time tracking is critical for paying employees inside organizations. If people don’t properly enter and certify hours worked, they may not be paid. Therefore, people enter their information accurately and timely.
After the user has satisfied their business responsibilities, accountants then have review and audit processes in place to ensure that information is accurate, with no discrepancies. For example, I worked in a fast food restaurant where they tracked the number of servings of expensive foods. The restaurant served fried clams, and because the point-of-sale system could track every order, the store manager had to count the available servings at the beginning and end of the shift, and they had to ensure that sales matched the difference in available servings.
Though the clams were a specific example, all mature organizations track just about everything in and everything out. The accounting process looks to ensure proper tracking of financial resources. Some of it is to ensure proper financial reporting for taxes and investors. They look for any deviations in expectations. The reason for deviations don’t matter.
In cybersecurity, you have to apply these lessons and use behavioral analytics, review log files, and otherwise look for evidence of violations of security procedures. Though this is a critical response issue, reviewing this information can also tell you where user behaviors need to be improved.
Whenever a deviation occurs, the type of deviation drives the follow-up process. It’s possible that forms, such as an expense form, will be returned for revision. If something valuable appears to be missing, it might inspire an investigation. In extreme cases, there might be a need for forensic accountants to complete a detailed investigation.
Applying the ABCs of Awareness
The mark of success for an awareness program is that people change their behaviors as required. For security awareness programs, these behavior changes should provide a return on investment and justify the awareness program, as Chapter 8 discusses in detail.
In short, the ABCs of awareness mandate that awareness influences behavior. Behaviors practiced consistently create the culture. Culture in turn provides awareness and drives behaviors.
The goal is for awareness to influence behavior. Then behaviors, practiced consistently, create a culture (or consistent behaviors practiced across the organization), and in the case of a security awareness program, they create a security culture. Your security culture then helps to drive both awareness and behaviors. Figure 3-1 illustrates this relationship.
FIGURE 3-1: The ABCs of awareness.
If behaviors are consistently poor, the security culture is weak. If senior employees choose not to wear their badges, a new hire walking into the organization will soon stop wearing their badge too, no matter what the awareness posters say.
