There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture — in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.
Yet we periodically see the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly.
While we previously spoke about the aspects of what makes security awareness programs successful, it is also important to proactively realize what might cause programs to fail. Even if you attempt to implement good practices, you have to ensure that you are not executing practices that subvert your program before you start. In this article, we address those practices that you should watch out for proactively to prevent failure. In this case, failure generally translates to major losses.
Not understanding what security awareness really is
This is probably the most fundamental reason for the failure of most awareness programs. There is a basic lack of understanding in industry as to what security awareness actually is. There is a major difference between security awareness programs and security training. Training is about providing a set body of knowledge and typically tests for short-term comprehension. Watching the standard "awareness" video is an example of such training.
The primary purpose of security awareness is to change behavior. There is no test of short-term comprehension. The only "test" is how a person behaves on an ongoing basis in the real world.
The mere act of providing a set body of knowledge does not change behavior. Information must be provided in a way that relates to how employees think and behave. There must be a personal association of how the knowledge would impact their actions. There is also a difference in providing an individual information on a one time basis, and delivering information in different formats over the course of time to effect change.
In short though, it is rare for an organization to actually understand and implement a program that intends to actively engage the employee with the sole purpose of striving for a better security culture.
Reliance on checking the box
Any good CSO will tell you that compliance is just a start for any security program. Security compliance standards do not guarantee security in any way; they just provide a minimum level of security countermeasures. Candidly, most compliance standards do not provide reasonable security, and it is especially true regarding security awareness.
The compliance standards for awareness are almost universally vague. They usually state something as broad as, "The organization must have a security awareness program in place." There is often nothing regarding the content or structure of such a program, and it generally falls upon the auditors to determine what is compliant. Auditors tend to know little about what constitutes a good awareness program, and tend to almost always approve the once a year, 10 minute awareness video, as long as it has a quiz at the end and you can verify that all employees have passed the quiz.
At best, these programs are examples of short-term retention, and provide no reinforcement or actual proof that people exercise the appropriate behaviors as a result of watching the video. We have heard first hand that to satisfy such standards, a group of employees will assign one person to take the training, write down the answers to the quizzes, and then provide the answers to other people within the organization, so that the other people "don't waste their time reading the slides." This situation is not unique. In short, saying your awareness program is compliant does not necessarily equate to create the desired behaviors.
Failing to acknowledge that awareness is a unique discipline
You can usually tell if a security awareness program is going to be a success or failure by the person assigned to run the program. It is not the individual's fault, as you as the CSO need to know whether or not the person has the right knowledge, skills and abilities (KSAs). As awareness involves changing behaviors, you need someone with a competence in what most technology professionals would consider "soft skills" such as communications and marketing.
As CSOs and CISOs are typically the one to assign a person to run the awareness program, they usually assign people out of their standard pool of people, who are technical. Rarely is it a person who was hired or assigned the position, because they have the right KSAs.
Since security awareness seems to involve soft skills, most security professionals believe that anyone can pick up the job. A good security awareness professional will have good communications ability, be familiar with learning concepts, understand that awareness is more than a check the box activity, knowledge of a variety of techniques and awareness tools, an understanding that there is a need for constant reinforcement of the desired behaviors, among many other KSAs.
Just as you would not want to assign a person with no experience or decent technical ability to maintain a corporate firewall infrastructure, you do not want to hire a person without any awareness experience or communications ability to run an organizational awareness program.
Lack of engaging and appropriate materials
As previously mentioned, many or most awareness programs rely on computer-based training carried out once a year. CBT can vary greatly in quality. Sometimes an organization acquires posters and newsletters. When there is a check the box mentality, lowest cost is frequently the deciding factor in determining which program to use, and the low cost option is not always very good. Additionally, the materials might not be appropriate for the organization.
Even when low cost is not the deciding factor, you need to ensure that the materials are appropriate for the culture of your organization. Sometimes the person acquiring the materials has a bias for a particular presentation style, which is only engaging to a small segment of the organizations employees. For example, awareness materials appropriate for an Internet company will not be well received by investment bankers.
More important, it is critical that multiple versions of security awareness materials be implemented, as there are generational issues to consider. Research shows that younger employees respond better to blogs and twitter feeds, while older employees respond better to traditional materials like newsletters and posters.
Not collecting metrics
Without metrics, there is no way to know whether or not a program is truly successful in achieving its goals. You do not know whether you are wasting money or proving value. You do not know whether you are decreasing the number of losses.
By collecting regular metrics, you can adjust your program to the measured effectiveness. By determining what is working and what is not, you can tailor future programs based upon lessons learned. Without such data, you are acting blindly and potentially proliferating failure.
The appropriate metrics also allow for the determination of which components are having the desired impact. They should be taken prior to starting any engagement effort, at least once during the engagement, and also post-engagement. Without such metrics, you will waste time, effort and money. For example, if no one is reading your newsletters, there is no need to continue to create them.
Every time there is a security awareness failing, people bemoan the value of security awareness as a whole. While it would be great if security awareness could prevent all incidents arising from the exploitation of humans, it is not realistic. No security countermeasure will ever be completely successful at mitigating all incidents. There will always be a failure.
With the collection of metrics, you can prove the effectiveness of the program, and determine the most important aspect of the awareness program; whether the program is saving more money than it costs.
Relying upon a single training exercise
Similarly to relying upon the once a year CBT, many companies have begun to incorporate social engineering or phishing simulations to their awareness programs. While there is nothing wrong with these simulations as a form of training exercise, they only address a single awareness concern.
We identified 17-24 unique awareness topics related to user behavior, dependent on the organization's industry sector. Focusing your efforts on a single attack vector leaves your organization wide open to other attack vectors. Admittedly, the simulations are used specifically because they do create metrics, which is incredibly valuable. However, they should not constitute the entire awareness program.
Most security awareness programs are doomed from the start, but it doesn't have to be that way. You can implement the successful habits that we previously identified, but you first have to remove any impediments to success. By setting the proper foundation, you will be able to implement a program that has a true return on investment and mitigates what is described as the top vulnerability exploited by advanced attacks.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.