"Every organization has cultural norms, and if you hope to change the way users behave, you have to look closely at yours before you can hope to achieve anything," said Perry Carpenter, research director at Gartner’s secure business enablement group, in a session at last week's Gartner Security & Risk Management Summit in Washington, D.C. "By 2015, we predict that about a quarter of organizations will have people dedicated to using social networks and other means to do explicit culture management -- to drive cultural and behavioral change -- and this will be a key element in driving change in security behavior."
The key, experts say, is to make security awareness part of everyday business operations, rather than something that is done in a classroom. Just as employees are rewarded or punished for appropriate handling of company funds or personal files, they can also be indoctrinated into a corporate culture that rewards and punishes for appropriate use of computers and data.
Education and security awareness play a significant role in changing corporate culture, experts note, but most companies are misguided or sloppy in their training efforts. The first problem is sometimes the person who develops the training program.
"The problem with a lot of security awareness programs is that they’re developed by security professionals," Gartner’s Carpenter said. "[Security pros] say, 'Hey, I know everything about security. We would do better if everybody knew what I know and behaved like me.' But in the end, it's not what employees know that matters -- it's what they do. Any education program should focus not on increasing awareness, per se, but on changing the way employees behave."
Julie Peeler, foundation director at (ISC)2, agrees. "As security professionals, we eat, sleep, and breathe security, but users don't," she observes. "When we teach users and try to change their behavior, we often skip steps in our own minds because they seem obvious to us. But developing a good end user security program means looking at it from the user’s perspective."
"We fail repeatedly to work with our users to actually modify their behavior," Murray says. "We try to 'train' them by giving them information and hoping that it will change behavior -- unfortunately, humans don't work that way."
MAD Security works with companies to change not what users know, but what they do. "The issue isn’t how to get more people thinking about security -- it's about intervening in their behavior to ensure that they do the right things without thinking about security," Murray explains. "The problem is that we think that education and more knowledge will make behavior change, and it doesn't. We may know that McDonald's is going to make us fat, but that doesn't stop most people from super-sizing their meal."
Like MAD, both Hadnagy’s social-engineering testing and PhishMe’s phishing education service are designed to take security education out of the classroom and into everyday operations. Hadnagy performs actual social-engineering tests on corporate employees to see how they will behave -- and how likely they are to fall for a scam -- as a means of improving security awareness. PhishMe's service is even more rigorous. It enables companies to "phish themselves" on a regular basis, all year long, using the same scams and techniques that are being used by cybercriminals in the wild. In fact, corporations could use the PhishMe service to test employees on their ability to recognize infections arriving in zip-wrapped PDF files -- the exact method that was used in the attacks on defense contractors revealed by Digital Bond last week, Belani says.
"The important thing to recognize is that these scams can happen to anyone -- companies of any size, employees of any level," Belani says. "A lot of people don't think they will get phished -- a lot of people don't think they’ll be the one who gets mugged, either, until it happens. It's not about being stupid -- it happened to Steve Jobs. It has happened to a lot of very smart and savvy people. But people have to be educated about what the phishers are doing."
The key, says Andrew Jaquith, CTO at Perimeter E-Security, is to have a strategy for changing user behavior.
"The first part, of course, is perennial security awareness," Jaquith says. "Teach your employees what they need to know, what they need to look out for, what's good, what's bad. Phishing resistance is the second thing. So run your own fake email campaigns. Try and spoof yourself. You can use any of the marketing tools, like Constant Contact. We use something called Hubspot, really good for blasting things out for customer communication.
"You should also do it with your employees," Jaquith continues. "There are plenty of toolkits out there like PhishMe that allow you to try to build a phishing campaign. See who falls for it. How many help desk tickets do you get? The third thing is custodianship. You need to have reporting -- encouraging a culture where your employees report weaknesses and breaches to IT -- and you act on them."
Ericka Chickowski contributed to this story.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.