If you look at the latest stories about computer hackers, or insiders who are the cause of insider attacks such as Bradley Manning or Edward Snowden, a common theme is the “Human Element.” The stories abound about how better security awareness would have stopped even the most devastating attacks. And that is very true.
At the same time, some people will claim that in all of the cases where a user enabled an attack, there was some form of awareness program in place, and it failed. These people will then go on to make a specious argument that since awareness failed, awareness programs are useless and funds should be reallocated to more technical countermeasures. Those arguments are not only naïve, they demonstrate that the people making these claims know little about practical security programs.
The fact is that all security countermeasures have and will fail. Encryption has failed time and time again. Firewalls have failed to stop attacks. Intrusion detection systems regularly fail to detect intrusions. Anti-virus software fails to stop a large percentage of malware. Access controls fail. Ironically a major reason for this failure is that all of these technologies require a person to properly implement and maintain them.
That being said, even the best awareness programs will fail. However as with all other security measures, failure does not mean that you abandon them or that they are not useful.
Any true security practitioner knows that security is not about preventing all losses, but about mitigating loss. A good security countermeasure helps to prevent incidents from occurring in the first place. However as all security measures will fail, it also helps to mitigate losses once an incident occurs. So security awareness should cause people to not fall prey to attacks, and also to detect and respond appropriately to attacks in progress.
The way to judge whether or not an awareness program is successful is to determine whether the money put into the program is less than the cost of losses that it prevents. The problem is that few people know how to measure the losses that are mitigated. You need to proactively collect metrics to see how a program improves user behaviors. This cannot be accomplished by just surveying people or seeing if they took required training. You need to determine how to measure the underlying security behaviors. This will be the topic of a future article.
CBT is not an awareness program
In the meantime, it is important to understand what an awareness program is and is not. Specifically, most corporate awareness programs are not really awareness programs. Most programs are limited to mandatory computer based training (CBT) and sometimes phishing simulations. Neither of those tools constitutes an effective awareness program.
Auditors generally consider CBTs to satisfy security awareness requirements of just about all compliance standards. What these CBTs do is provide a base body of knowledge, frequently test people on short term comprehension, and can track people who complete the training. That does not demonstrate that people change their behaviors or are generally more aware.
The goal of security awareness is not simply providing people with facts. The goal is to improve people’s security-related behavior. Successful awareness training is not measured by the number of people who watch a video or click on a basic phishing message, but in their improved behaviors. This requires constant reinforcement of the desired topics, not randomly presenting topics throughout the year.
An effective awareness program engages employees on a regular basis and does not rely on a single format, or presentation of the topic on a one time basis. Security awareness requires reinforcement, like any aspect of human behavior.
It is also important to realize that one program is not right for all organizations. A good program analyzes the business drivers, to determine what topics need to be addressed. It then examines organizational culture to see what delivery vehicles will be most appropriate. I’ll write more in future articles about the best methods to follow in order to develop effective security awareness programs. In the meantime, you can check out my latest white paper for additional information.
Think of security awareness as an umbrella. Just because you use an umbrella, it doesn’t mean that you won’t get wet. If you use an umbrella once, the umbrella does nothing to protect you from the next storm coming through. Likewise, a small awareness program will protect you as much as a small umbrella. You shouldn’t complain if you get wet.