Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2013
08:06 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Security Awareness Is Like An Umbrella

A small security awareness program will protect you as much as a small umbrella. So don't complain when you get wet.

If you look at the latest stories about computer hackers, or insiders who are the cause of insider attacks such as Bradley Manning or Edward Snowden, a common theme is the “Human Element.” The stories abound about how better security awareness would have stopped even the most devastating attacks. And that is very true.

At the same time, some people will claim that in all of the cases where a user enabled an attack, there was some form of awareness program in place, and it failed. These people will then go on to make a specious argument that since awareness failed, awareness programs are useless and funds should be reallocated to more technical countermeasures. Those arguments are not only naïve, they demonstrate that the people making these claims know little about practical security programs.

The fact is that all security countermeasures have and will fail. Encryption has failed time and time again. Firewalls have failed to stop attacks. Intrusion detection systems regularly fail to detect intrusions. Anti-virus software fails to stop a large percentage of malware. Access controls fail. Ironically a major reason for this failure is that all of these technologies require a person to properly implement and maintain them.

That being said, even the best awareness programs will fail. However as with all other security measures, failure does not mean that you abandon them or that they are not useful.

Any true security practitioner knows that security is not about preventing all losses, but about mitigating loss. A good security countermeasure helps to prevent incidents from occurring in the first place. However as all security measures will fail, it also helps to mitigate losses once an incident occurs. So security awareness should cause people to not fall prey to attacks, and also to detect and respond appropriately to attacks in progress.

The way to judge whether or not an awareness program is successful is to determine whether the money put into the program is less than the cost of losses that it prevents. The problem is that few people know how to measure the losses that are mitigated. You need to proactively collect metrics to see how a program improves user behaviors. This cannot be accomplished by just surveying people or seeing if they took required training. You need to determine how to measure the underlying security behaviors. This will be the topic of a future article. 

CBT is not an awareness program
In the meantime, it is important to understand what an awareness program is and is not. Specifically, most corporate awareness programs are not really awareness programs. Most programs are limited to mandatory computer based training (CBT) and sometimes phishing simulations. Neither of those tools constitutes an effective awareness program.

Auditors generally consider CBTs to satisfy security awareness requirements of just about all compliance standards. What these CBTs do is provide a base body of knowledge, frequently test people on short term comprehension, and can track people who complete the training. That does not demonstrate that people change their behaviors or are generally more aware.

The goal of security awareness is not simply providing people with facts. The goal is to improve people’s security-related behavior. Successful awareness training is not measured by the number of people who watch a video or click on a basic phishing message, but in their improved behaviors. This requires constant reinforcement of the desired topics, not randomly presenting topics throughout the year.

An effective awareness program engages employees on a regular basis and does not rely on a single format, or presentation of the topic on a one time basis. Security awareness requires reinforcement, like any aspect of human behavior.

It is also important to realize that one program is not right for all organizations. A good program analyzes the business drivers, to determine what topics need to be addressed. It then examines organizational culture to see what delivery vehicles will be most appropriate.  I’ll write more in future articles about the best methods to follow in order to develop effective security awareness programs. In the meantime, you can check out my latest white paper for additional information.

Think of security awareness as an umbrella. Just because you use an umbrella, it doesn’t mean that you won’t get wet. If you use an umbrella once, the umbrella does nothing to protect you from the next storm coming through. Likewise, a small awareness program will protect you as much as a small umbrella. You shouldn’t complain if you get wet.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 2:41:16 PM
Re: Intriguing article
Yes the idea of tailoring security awareness programs to the individual organizations and employees makes a lot of sense. Curious to know if any readers approach awareness in this manner already? If so, how do you design your program and execute it?
clorenzo
50%
50%
clorenzo,
User Rank: Apprentice
12/5/2013 | 4:13:17 PM
Intriguing article

This is a great read Ira. I agree that just because a counter measure isn't effective 100% of the time, doesn't mean it is time to scrap it. There is no cure-all solution to security. I've also seen a lot of companies that have  a "set it and forget it" mentality when it comes to security. The issue with this type of thinking is that hackers and identity thieves are adapting their methods on a constant basis, and technology has inherent flaws since is primarily built to protect against existing threats. I look forward to reading your upcoming articles.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.