to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.
Grasping how users initiate loss
At a cybersecurity conference where I spoke, I was in a buffet line at lunchtime. At one table that the line passed, I saw some stickers that said, Don’t Click On Sh*t! The person in front of me was an administrator, and he grabbed a handful of stickers while saying, “I need a lot of these to give to my users.” I then replied, “You must give your users a lot of ‘sh*t’ to click on.”
The guy was confused and asked what I meant. I replied that the users would have no items to avoid clicking on if the systems he supported didn’t pass the messages to the users. I then added that if he knows users will click on problematic items, he should be taking active measures to stop the inevitable damage. He was confused, but of course kept the stickers.
Users can cause only the amount of damage they’re put in the position to cause — and then allowed to carry out. However, even after they make a potentially damaging mistake, or even if they’re blatantly malicious, it doesn’t mean that the system should allow the loss to be realized.
For example, a user can click on a phishing message only if the antiphishing technology used by your organization fails to filter the message. If the user clicks on a phishing message and ransomware is activated, the ransomware can destroy the system only if the user has permission to install software on the system — and then in almost all cases, you have no standard antimalware on the system.
In essence, users may initiate a chain of actions that create the loss, but the loss is a result of failings in the system as a whole.
Knowing How Security Awareness Programs Work
Unfortunately, there is little consistency in what is perceived to be a sufficient, organizational security awareness program. Some organizations just have users, or employees, sign a document. Many other awareness programs require employees to read the document once a year (or, increasingly, watch a video).
At the other end of the spectrum, when I started at the National Security Agency (NSA), my security awareness training actually began long before I started working there. After I passed the initial aptitude test, I was sent information to arrange for an interview. During that interview was a conversation about the special security considerations of working for the NSA. I was prepared for what would be involved in obtaining a top secret clearance, as well as the need not to discuss my potential employment. I was then invited to visit the NSA headquarters for further interviews.
My travel packet included a basic discussion of security requirements. Upon arrival, I was provided with another security briefing related to how to get into, and then behave within, the facilities. I met with counterintelligence officers, who provided a general overview of security requirements and then administered a polygraph exam. I also took a battery of psychological tests. During the technical interviews, I met with professionals who also discussed the job expectations, including the expected security-related behaviors. The NSA is a special case, of course — most organizations don’t engage in such rigorous screening practices.
When I started working at the NSA, I took a 3-day security awareness class. Security awareness posters were hung on walls all over the buildings. Applicants received security newsletters and attended regular security-related presentations. These awareness tools were generally unnecessary, however. All I had to do to see how to behave was behave like everyone else. Everyone wore their badges, so I wore my badge. Everyone lined up to have their belongings inspected on the way out of the buildings. In essence, the entire culture was the awareness program. People lost their jobs because of security violations. I am not saying the NSA was perfect, because it clearly had some major failings, but for all the potential risk, the NSA experienced relatively little loss.
Clearly, few organizations in the world have the type of awareness program that the NSA has. Unlike organizations that prioritize profits, branding, and other deliverables, the NSA focuses on security. Security is the NSA brand.
A good security awareness program intends to change and improve security-related behaviors. You can incorporate many tools into an awareness plan to create that change. Chapter 7 defines a variety of tools that you can incorporate into your program. Some tools are more popular than others; however, no tool is absolutely required. The choice depends on your needs. At the end of the day, a security awareness program is essentially a set of tools, techniques, and measurements intended to improve security-related behaviors.
Establishing and measuring goals
The ultimate goal of a security awareness program is to change and improve security-related behaviors. Security programs are created to reduce loss. As an essential part of an organization’s overall information security program, security awareness should likewise reduce loss.
In Chapter 8, I discuss some metrics you can use to judge whether your awareness program successfully reduces loss. Many security awareness professionals talk about the likeability of their tools, the number of people who show up to their events, and the quality of their posters. These metrics and general impressions are nice to know, but they’re relatively useless from a practical perspective.
A metric demonstrating that you’re changing behaviors in a way that reduces loss, or preferably improves efficiency and makes the organization money, is the most useful metric to show that you’re producing value. This isn’t to say that it’s the only possible benefit of a security awareness program. Awareness programs also often provide intangible benefits to the organization. These benefits include protecting the organization from damage to its reputation, illustrating that the organization is committed to security, generating excitement and engagement among employees, and reassuring customers that your organization is actively protecting them.
