Security Awareness: Driving Better Behaviors by Javvad Malik, Security Awareness Advocate, KnowBe4
After many years and awareness campaigns, it’s only natural that we ask the question of whether or not security behaviors are improving as a result of better awareness.
For the defense, I state yes. Awareness is absolutely improving security behaviors. Behavioral change is akin to boiling a frog; it’s a series of very small changes that happen over a long period of time. It’s how, through the naked eye, one could come to the conclusion that the Earth is flat, but through scientific methods, or by being in the right place, one can prove that the Earth is indeed anything but flat.
Similarly, if you don’t look for the right indicators, or aren’t asking the right questions, it may appear as if behaviors haven’t changed, whereas over the last couple of decades, security behaviors are almost unrecognizable.
Often times, we look towards formal knowledge as the primary indicator of how effective awareness campaigns are. This sometimes takes the form of standard testing. While testing is good for short-term assessment, it is not always a good indicator of behavioral change. Consider speed awareness as an issue. Many people are aware that inappropriate speeds can lead to accidents; however, only a small percentage of those will be able to accurately answer what the braking distance would be to come to a complete stop when travelling at 50mph.
Just like speeding, we are better off measuring attitudes and social norms. In the late 1990s, locking a workstation or any electronic device when walking away from it was uncommon. However, over time, we’ve come to a point where most people will lock a workstation – at the very least, they will lock their mobile phones and are hesitant to leave an unlocked device in the hands of a stranger or someone they don’t fully trust.
Socially, asking someone for the PIN to unlock their phone can be met by the same reaction as if one were asking for the PIN to their bank card. While this may not hold true for every culture around the world, we have definitely seen a shift in behaviors towards greater security.
"Maybe the biggest evidence that continual security awareness has made a difference is showcased in the way software and devices are made"
Another indicator of behavior is to see how important an issue is to society. Often, we can take a look at how many times the media mentions an issue. In that regard, there is no shortage of column inches and airtime dedicated to some form of security issue. While there are many security-specific publications, security news frequently finds its way into mainstream media. This is obviously more noticeable after any major incident, such as when WannaCry hit, or when a major company suffers a breach.
Beyond that, there is also the proliferation of security into pop culture such as in movies and TV shows. While the cynical security professional may scoff at some of the technical creative liberties most shows might take, the important fact to recognize is that the general public is aware of and understands enough about security issues and their impacts that they can be used easily and conveniently as a plot device.
Maybe the biggest evidence that continual security awareness has made a difference is showcased in the way software and devices are made. Granted, there are some poor examples, but overall, if you look at the trends and the direction in which the market is heading, it is all positive.
Privacy is one of the key messages put out by Apple when marketing its product. This shows that privacy is a topic people are concerned about; so much so, that a more secure product with better privacy controls may sway purchasing decisions.
We have the rising adoption of two-factor authentication, and security features turned on by default. This includes features such as automatically locking a device after a period of inactivity or receiving notifications whenever an account is accessed from a new location or device.
There has also been an increase in security features built into email services. Many of which have greatly enhanced their anti-spam and anti-phishing measures over the years through automated filtering, and user notifications warning where emails may be impersonating others.
We also have organizations reaching out to their customers on a regular basis, reminding them of the latest scams and what to look out for.
So, before you try to conclude that security awareness doesn’t work or is a waste of time because people can’t tell the difference between SHA1 or SHA256, consider how many people really understand the actual health impact smoking has on them. Most don’t know, and probably don’t care beyond, “it’s harmful.”
Similarly, we need to ask ourselves as security professionals: do we care more about what people know, or what they do? What they do is showing that awareness is working
Security Awareness: Still the Same Old Problems, by Ed Tucker, Co-Founder, Human Firewall
Security awareness isn’t something new. It is a means to educate the workforce, the front line of risk realization and creates a culture where security behavior marches triumphantly towards exemplary. This represents a fabulous opportunity to have a tangibly positive impact upon risk. However, in the real world, it is little more than a compulsory undertaking at as little cost and effect as possible. Ask yourself: can you even measure positive behavioral change? Bear in mind, truly positive behavioral change is a cumulative set of collaborative actions across multiple people and units. More of that later, let’s start with the basics.
Many organizations have been undertaking security awareness for many years; though I would argue that a large percentage of those are merely paying lip service to a complex area. This isn’t helped by things like the Gartner Magic Quadrant, or the interpretation of regulations, like PCI-DSS, where ‘at least annually’ becomes an annual tick box exercise. The ethos is lost in the need to tick a compliance box, and thus many organizations frankly waste money, effort and staff time in an utterly pointless exercise. Make no bones about it, if your awareness program consists of once a year CBT security training, then you are doing it staggeringly wrong! You’d be better served by simply stopping.
Above everything, security awareness is about outcomes. An overarching set of goals that can be achieved or worked towards through coherent and meaningful awareness activities. The goal here is not to be compliant with a standard or regulation. Where PCI-DSS talks about awareness it is not to provide a box for organizations to tick. It is about reducing risk, protecting cardholder data, and having a positive impact.
"Above everything, security awareness is about outcomes"
To have a positive impact on security behaviors in any way, awareness activities must be developed with outcomes in mind. To develop outcomes, you must always consider cumulative effects and dependencies. This isn’t to create some kind of irreducible complexity, but simply to understand how an impact in one area creates an effect elsewhere. In its most basic form, if you were somehow able to raise awareness across all employees to a consistently high standard, then what would be the effect? Again, at base levels, employees would be more cognizant of risk as a concept, more readily identify the manifestation of threats and a reporting culture would be nurtured across the organization. That in itself sounds great, and without doubt is a positive, however, in terms of positive actions and outcomes across an organization, is this enough? In short, no!
All the above does is to move aspects of risk to another area. Greater awareness, and thus greater reporting, leads to an overhead on security investigations and operations. Are the teams, or people, responsible for this able to cope with the demand? Do they have dependencies upon processes, technologies and other teams to effect positive influence upon these investigations? Are they able to mirror any positive behavioral change to ensure positive security actions, or are they a detrimental dependency? Do you even know?
If you do not consider such knock-on effects when awareness activities are developed, even if your awareness activities are brilliant, your effect will be significantly sub-optimal. You might want to consider such teams as well for the insight they can provide in terms of tangible risk parameters to build your awareness around. Again, with simplicity in mind, maybe provide awareness about the actual threats that manifest to the employee, rather than some theoretical threats.
A large part of the problem with awareness and effecting behavioral change to achieve positive outcomes is that the organization and thinking therein is dislocated. Dislocated from how a risk is realized and the cumulative actions required to mitigate, respond and/or remediate. Dislocated from the processes required to enact such actions. Dislocated from a clear view of risk to enable successful adoption into awareness activities. Dislocated from the overall view of positive outcomes and their make-up.
All this and then consideration to things like styles of learning, timeliness, frequency, appropriate hooks, building affinity and much, much more.
To develop successful behavioral change across an organization that has a tangible positive impact upon risk, then awareness, as it is commonly done today does not get close to cutting the mustard. Furthermore, how many organizations are actually trying to drive such change as opposed to simply ticking a box or following the quadrant? To drive behavioral change, we have to change our own behaviors first, and then apply them to our awareness programs, most pertinently in understanding the spiders web of cumulative effects.