08:06 AM
Ira Winkler
Ira Winkler
Connect Directly

Why Security Awareness Is Like An Umbrella

A small security awareness program will protect you as much as a small umbrella. So don't complain when you get wet.

If you look at the latest stories about computer hackers, or insiders who are the cause of insider attacks such as Bradley Manning or Edward Snowden, a common theme is the “Human Element.” The stories abound about how better security awareness would have stopped even the most devastating attacks. And that is very true.

At the same time, some people will claim that in all of the cases where a user enabled an attack, there was some form of awareness program in place, and it failed. These people will then go on to make a specious argument that since awareness failed, awareness programs are useless and funds should be reallocated to more technical countermeasures. Those arguments are not only naïve, they demonstrate that the people making these claims know little about practical security programs.

The fact is that all security countermeasures have and will fail. Encryption has failed time and time again. Firewalls have failed to stop attacks. Intrusion detection systems regularly fail to detect intrusions. Anti-virus software fails to stop a large percentage of malware. Access controls fail. Ironically a major reason for this failure is that all of these technologies require a person to properly implement and maintain them.

That being said, even the best awareness programs will fail. However as with all other security measures, failure does not mean that you abandon them or that they are not useful.

Any true security practitioner knows that security is not about preventing all losses, but about mitigating loss. A good security countermeasure helps to prevent incidents from occurring in the first place. However as all security measures will fail, it also helps to mitigate losses once an incident occurs. So security awareness should cause people to not fall prey to attacks, and also to detect and respond appropriately to attacks in progress.

The way to judge whether or not an awareness program is successful is to determine whether the money put into the program is less than the cost of losses that it prevents. The problem is that few people know how to measure the losses that are mitigated. You need to proactively collect metrics to see how a program improves user behaviors. This cannot be accomplished by just surveying people or seeing if they took required training. You need to determine how to measure the underlying security behaviors. This will be the topic of a future article. 

CBT is not an awareness program
In the meantime, it is important to understand what an awareness program is and is not. Specifically, most corporate awareness programs are not really awareness programs. Most programs are limited to mandatory computer based training (CBT) and sometimes phishing simulations. Neither of those tools constitutes an effective awareness program.

Auditors generally consider CBTs to satisfy security awareness requirements of just about all compliance standards. What these CBTs do is provide a base body of knowledge, frequently test people on short term comprehension, and can track people who complete the training. That does not demonstrate that people change their behaviors or are generally more aware.

The goal of security awareness is not simply providing people with facts. The goal is to improve people’s security-related behavior. Successful awareness training is not measured by the number of people who watch a video or click on a basic phishing message, but in their improved behaviors. This requires constant reinforcement of the desired topics, not randomly presenting topics throughout the year.

An effective awareness program engages employees on a regular basis and does not rely on a single format, or presentation of the topic on a one time basis. Security awareness requires reinforcement, like any aspect of human behavior.

It is also important to realize that one program is not right for all organizations. A good program analyzes the business drivers, to determine what topics need to be addressed. It then examines organizational culture to see what delivery vehicles will be most appropriate.  I’ll write more in future articles about the best methods to follow in order to develop effective security awareness programs. In the meantime, you can check out my latest white paper for additional information.

Think of security awareness as an umbrella. Just because you use an umbrella, it doesn’t mean that you won’t get wet. If you use an umbrella once, the umbrella does nothing to protect you from the next storm coming through. Likewise, a small awareness program will protect you as much as a small umbrella. You shouldn’t complain if you get wet.

Image courtesy of smarnad/FreeDigitalPhotos.net
Image courtesy of smarnad/FreeDigitalPhotos.net

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 2:41:16 PM
Re: Intriguing article
Yes the idea of tailoring security awareness programs to the individual organizations and employees makes a lot of sense. Curious to know if any readers approach awareness in this manner already? If so, how do you design your program and execute it?
User Rank: Apprentice
12/5/2013 | 4:13:17 PM
Intriguing article

This is a great read Ira. I agree that just because a counter measure isn't effective 100% of the time, doesn't mean it is time to scrap it. There is no cure-all solution to security. I've also seen a lot of companies that have  a "set it and forget it" mentality when it comes to security. The issue with this type of thinking is that hackers and identity thieves are adapting their methods on a constant basis, and technology has inherent flaws since is primarily built to protect against existing threats. I look forward to reading your upcoming articles.

Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-02
Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet.

Published: 2015-10-02
Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated users to cause a denial of service (temporary SNMP outage) via an SNMP request for an OID that does not exist, aka Bug ID CSCuw36684.

Published: 2015-10-02
Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows remote authenticated users to cause a denial of service (file-descriptor consumption and device reload) via crafted HTTP requests, aka Bug ID CSCuw32211.

Published: 2015-10-01
lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

Published: 2015-10-01
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.