'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training What's definitely not working with end-user cybersecurity awareness training - and what you can do about it.
Stu Sjouwerman has been focused on IT security for more than 30 years. The CEO and founder of KnowBe4, an awareness training provider, launched the company about a decade ago in response to what he saw as a serious gap in understanding about risk among end users.
Initially, as KnowBe4 created a customer base, many companies took on awareness training for compliance reasons. The legal landscape demanded security managers in some sectors to demonstrate they were at least offering awareness as part of overall strategy. But now their motivations have changed.
"The big movement, the sea change, has been from compliance to security," Sjouwerman says. "Imagine a Venn diagram. One circle is compliance. The other is actual security measures you need to take to make sure the bad guys don't come in. Awareness training has squarely moved from one circle to another."
Sjouwerman believes awareness training has finally arrived. More organizations see the value in it beyond checking a box, he says, and are investing accordingly.
"Over [the] last few years, awareness training has come into its own," he says. "CISOs understand there is no silver bullet in just software filters and that you really need to create a human firewall."
So there is awareness of security awareness. That's good news. But is it working?
"I think more companies are running programs," says Lisa Plaggemier, chief evangelist at the InfoSec Institute, "but I question the efficacy."
What's Not Working?
"The problem for some organizations trying to run really engaging, creative awareness campaigns is that they can get watered down in committees," Plaggemier says. "When we get [human resources], corporate comms, marketing all weighing in equally on an awareness campaign, the result can be bland and maybe too 'safe.'"
And certain strategies that originally launched in the early days of security awareness programs are now proving ineffective. According to Jason Hoenich, founder of awareness training provider Habitu8, programs based on FUD (fear, uncertainty, and doubt) and phishing simulation programs that use punitive measures are less powerful.
"Cutting off email access, Internet access, scolding, getting in trouble — these are all terrible consequences and methods against users that respond to email phishing simulation campaigns," Hoenich says. "It's a training — you can't fail a training. "If [a business] is finding [it needs] to resort to this, it means the program is doing something wrong."
Rethinking: Power to the People
So what does work in awareness training?
One approach Hoenich has recommended lately is the use of "security ambassadors" — a grassroots community of eager employees and leaders who are responsible for engaging with their co-workers about the larger security awareness program and its purpose and goals.
"It allows a single resource managing a program for a large enterprise and the ability to create local, trusted resources for each department, building, floor, and region as necessary," he says. "These resources also become feedback channels, so you can hear the needs of teams and departments you typically wouldn't get the chance to interface with."
Plaggemier believes in unique content that will interest end users at all stages of security understanding.
"The old sales funnel tells us that there are four stages people go through as they change their behavior: attention, interest, desire, and action," she says. "You need content for people at every stage of the funnel."
But that content has to take into consideration what its readers truly need to know.
"I still see too much homegrown content that assumes everyone is as passionate about security as we are: newsletters in 12-point type that are very content-rich," Plaggemier says. "That's fine for someone who is already interested or already desires to learn more about how to take action, but do you also have content for people that are at the top of the funnel?"
Rethinking: Power to the Data
In addition to technology such as phishing testing modules, there are technologies to measure and monitor users' security behavior (or lack thereof).
For example, in a session titled "Testing Your Organization's Social Media Awareness" at the recent Black Hat Briefings conference, Jacob Wilkin, network penetration tester and application security consultant with Trustwave SpiderLabs, demonstrated Social Attacker and Social Mapper. These newer, open source tools can be used to gain insights on users' security savviness when using social media.
Social Mapper searches for profile information from social media sites including Facebook, Instagram, and LinkedIn to see how employees have linked back to an organization in their profiles. Social Attacker can be used for active testing to discover which employees actually accept connection requests from a fake account — a key sign of a user who needs awareness education.
"You see who is connecting with strangers. You see who is clicking on links that you send them," Wilkin explained.
These tools offer visibility into end users' security practices, which the security manager can then use to tailor education efforts. (He cautioned that use of Social Attacker may not be legal in some regions due to privacy laws and should be thoroughly investigated before use.)
People and Data: Using Both to Create Culture
How do CISOs reconcile the two approaches offered by both training and analytical tools? Is it possible to harness the latest and greatest security intelligence while also training users to be part of the solution?
Sjouwerman thinks the answer lies in both. As an example, this year KnowBe4 acquired Norwegian-based CLTRe, a toolkit that describes itself as "the yardstick of culture." It scientifically measures security attitudes, behaviors, compliance, cognition, communication, norms, and responsibilities, and then assesses individuals within the organization so it can serve up micro-training modules specific to each person's weak areas.
The objective, Sjouwerman says, is to use analytics to first understand where the work needs to be done, and then get users involved in improving their own risk knowledge.
Starting with a high-level overview of security culture is the essential first step to improving awareness among the ranks, he said.
"Culture eats policy for breakfast. You can have as many policies as you want. But if your culture doesn't support it, it ain't going to happen."
Hoenich also indicates that organizations must design a program that is unique to their organization.
"Each company has its own unique culture. How employees communicate with leadership and one another all mean each program needs to be unique in its approach," he said.
(Image Source: ojogabonitoo via Adobe Stock)
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio