Risk
12/5/2013
08:06 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Security Awareness Is Like An Umbrella

A small security awareness program will protect you as much as a small umbrella. So don't complain when you get wet.

If you look at the latest stories about computer hackers, or insiders who are the cause of insider attacks such as Bradley Manning or Edward Snowden, a common theme is the “Human Element.” The stories abound about how better security awareness would have stopped even the most devastating attacks. And that is very true.

At the same time, some people will claim that in all of the cases where a user enabled an attack, there was some form of awareness program in place, and it failed. These people will then go on to make a specious argument that since awareness failed, awareness programs are useless and funds should be reallocated to more technical countermeasures. Those arguments are not only naïve, they demonstrate that the people making these claims know little about practical security programs.

The fact is that all security countermeasures have and will fail. Encryption has failed time and time again. Firewalls have failed to stop attacks. Intrusion detection systems regularly fail to detect intrusions. Anti-virus software fails to stop a large percentage of malware. Access controls fail. Ironically a major reason for this failure is that all of these technologies require a person to properly implement and maintain them.

That being said, even the best awareness programs will fail. However as with all other security measures, failure does not mean that you abandon them or that they are not useful.

Any true security practitioner knows that security is not about preventing all losses, but about mitigating loss. A good security countermeasure helps to prevent incidents from occurring in the first place. However as all security measures will fail, it also helps to mitigate losses once an incident occurs. So security awareness should cause people to not fall prey to attacks, and also to detect and respond appropriately to attacks in progress.

The way to judge whether or not an awareness program is successful is to determine whether the money put into the program is less than the cost of losses that it prevents. The problem is that few people know how to measure the losses that are mitigated. You need to proactively collect metrics to see how a program improves user behaviors. This cannot be accomplished by just surveying people or seeing if they took required training. You need to determine how to measure the underlying security behaviors. This will be the topic of a future article. 

CBT is not an awareness program
In the meantime, it is important to understand what an awareness program is and is not. Specifically, most corporate awareness programs are not really awareness programs. Most programs are limited to mandatory computer based training (CBT) and sometimes phishing simulations. Neither of those tools constitutes an effective awareness program.

Auditors generally consider CBTs to satisfy security awareness requirements of just about all compliance standards. What these CBTs do is provide a base body of knowledge, frequently test people on short term comprehension, and can track people who complete the training. That does not demonstrate that people change their behaviors or are generally more aware.

The goal of security awareness is not simply providing people with facts. The goal is to improve people’s security-related behavior. Successful awareness training is not measured by the number of people who watch a video or click on a basic phishing message, but in their improved behaviors. This requires constant reinforcement of the desired topics, not randomly presenting topics throughout the year.

An effective awareness program engages employees on a regular basis and does not rely on a single format, or presentation of the topic on a one time basis. Security awareness requires reinforcement, like any aspect of human behavior.

It is also important to realize that one program is not right for all organizations. A good program analyzes the business drivers, to determine what topics need to be addressed. It then examines organizational culture to see what delivery vehicles will be most appropriate.  I’ll write more in future articles about the best methods to follow in order to develop effective security awareness programs. In the meantime, you can check out my latest white paper for additional information.

Think of security awareness as an umbrella. Just because you use an umbrella, it doesn’t mean that you won’t get wet. If you use an umbrella once, the umbrella does nothing to protect you from the next storm coming through. Likewise, a small awareness program will protect you as much as a small umbrella. You shouldn’t complain if you get wet.

Image courtesy of smarnad/FreeDigitalPhotos.net
Image courtesy of smarnad/FreeDigitalPhotos.net

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 2:41:16 PM
Re: Intriguing article
Yes the idea of tailoring security awareness programs to the individual organizations and employees makes a lot of sense. Curious to know if any readers approach awareness in this manner already? If so, how do you design your program and execute it?
clorenzo
50%
50%
clorenzo,
User Rank: Apprentice
12/5/2013 | 4:13:17 PM
Intriguing article

This is a great read Ira. I agree that just because a counter measure isn't effective 100% of the time, doesn't mean it is time to scrap it. There is no cure-all solution to security. I've also seen a lot of companies that have  a "set it and forget it" mentality when it comes to security. The issue with this type of thinking is that hackers and identity thieves are adapting their methods on a constant basis, and technology has inherent flaws since is primarily built to protect against existing threats. I look forward to reading your upcoming articles.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.