Our past article describing Security Awareness program failures created some controversy. We stated that one reason programs fail is because they rely on a single component, such as phishing exercises or Computer Based Training (CBT). Apparently, for many organizations either of those two elements is both the beginning and the end of Security Awareness efforts. This generated the question as to what else organizations should include to build an impactful Security Awareness program that creates the desired behavior changes.
The last statement is the most critical. Security Awareness programs should intend to create behavior change. Admittedly phishing simulations can create what is known as a teachable moment, and can have a lasting impact. However, it only addresses a single awareness concern. CBT involves watching a single video and as any armchair advertising expert will tell you, it takes constant reinforcement for the message to sink in.
So how do you get the message to sink in? Research shows that you need to present the information on at least 3 occasions, and ideally in multiple formats, as different people prefer different formats. To create a successful Security Awareness program, you should therefore use as many formats as possible. This article identifies the categories of formats to consider incorporating into your programs. For a more detailed listing you will find it on our website.
Collateral is a broad term for internally distributed materials. These are things like newsletters, blogs, and other internal communications. These types of internal communication serve as a simple reminder to your users that security is important and gives you an opportunity to educate them once you have their attention. Try to keep these communications bite-sized but give them a link back to a lengthier article if they want more information. Work within acceptable corporate guidelines, but be aware of limitations. If newsletters are the only way, still go for it, but try to appeal to different demographics.
For example, while older people tend to respond to traditional newsletters, Millennials might respond better to a blog or Twitter like activities. Also consider the possibility that some media types might be too congested. For example, newsletters might be deleted unread out of habit by many employees, so they might not be the best choice of venue for your Security Awareness program. Whichever formats you choose, make sure you set up your process to enable you to capture metrics on readership and click throughs. Metrics will allow you to determine where to focus future efforts.
Posters are a tried and true method of raising awareness. While some people believe they are old-fashioned and outdated, they can be very effective when they are well designed. The Smokey the Bear and the now ubiquitous "See Something, Say Something" campaigns are testament to the effectiveness of posters. If you lack the skills to come up with a catchy tagline and your best shot at drawing still limits you to stick figures, it's okay to branch out to your internal marketing team or contract a graphic designer. This way you can ensure the style of poster and messaging matches your corporate culture.
Also consider including a QR code that will bring users back to your internal knowledge base, if you have one. This will accomplish two things: 1) Give your employees more information on the given topic, and 2) Collect metrics on how many employees are reading your poster and look for more information. Lastly, make sure your posters are placed in highly trafficked areas where they will receive maximum visibility. You don't want to place them where they become background noise.
Computer Based Training
CBT is the most omnipresent component of security awareness programs, as it is the most clearly accepted method of achieving compliance. Per our past article, this is a case where people confuse Security Training with Security Awareness. CBT provides a set body of knowledge and tests people to ensure short-term memory retention. However the reliance specifically on CBT as a Security Awareness program is what creates the bulk of the criticism about Security Awareness in general. Despite what the critics say, this is still a vital component. The CBT gives you an opportunity to summarize the most important lessons you would like your employees to learn.
CBT can range from 3 minutes to an hour long with varying degrees of interactivity. It can summarize the most important lessons you would like your employees to learn. Unless the CBTs are on the shorter side, it is limited to one time per year, as you can't have employees taking extended training on multiple occasions. However, multiple short CBTs can be used to reinforce many concepts throughout the year and can be very valuable.
Well-executed events bring the Security Awareness program, and the whole security effort for that matter, to life. Events are your time to shine. Be creative, give out food or gifts, and display security's smiling faces. These events are your greatest opportunity to put a face on security, instead of being relegated to "the man behind the curtain." This is a chance to boost security morale and educate your users. Most frequently, these events coincide with Computer Security Awareness Month in October, however they can be held anytime throughout the year.
Many companies have a booth with some sort of game. Other events include a speaker or a demonstration. You can show movies with a security theme. The sky, or whatever your budget and upper management dictate, is the limit. These events also provide an additional opportunity to gather metrics on how many employees stopped by your event.
Lunch and Learns are specific examples of ongoing events. In this case, you hold events on particular topics and allow the employees to voluntarily attend. Ideally you cater to their personal interests and provide lunch. These events also provide an opportunity to partner with other departments, such as marketing, to get your message across more effectively.
"Road shows" is the term assigned to provide special events to particular departments about their unique security concerns. People love to feel special and creating a presentation catered to them will help accomplish this. Interacting with them in a smaller group setting will also likely leave a greater impact than the time they spent with their computer screen during their CBT, or will just enhance it.
An internal security portal provides several functions. First it provides a Knowledge base that can be time-consuming to create and maintain, but can provide a huge return on investment with includes information on security related topics, such as securing a mobile device, creating a strong password, and travel security. It is also important to include information on home and personal security strategies, such as protecting children online and securing social media accounts. If you provide information that personally engages employees, the behaviors can translate to secure work habits.
Creating the knowledge base can seem a bit like Sisyphus and the rock, especially since it must also be kept up to date to reflect changing technologies. However, the time is worth it as it engages employees, and provides information that is not being covered by other awareness efforts, but is still important to the employee.
The other critical aspect of a security portal that should be included is a method to contact the security staff with questions. This provides a way for people to report potential incidents, and just reach out with general questions and concerns.
Behavioral Testing and Teachable Moments
Phishing, USB drive drops, and Social Engineering tests require some care, but are important components to give your employees a "teachable moment." The employees that are not practicing safe security behaviors will be identified with these practices and will be given on-the-spot training to educate about the risks of their actions and how they can spot real attacks. These activities also provide the best metrics you are usually able to collect. If you can determine a potential loss per incident, with the right preparation, it is the most effective tool available to demonstrate return on investment.
There are however limitations to this type of testing. For example, a common tactic is to use kitten videos or pictures to get people to open up a phishing message. If a person doesn't like cats, it doesn't mean that they are secure against attacks that might use other pretexts. There are ways of integrating science into such testing to make it more useful, which will be the topic of a future article.
We just identified the categories of components of an effective Security Awareness program. Clearly, there are many potential components of a program, and we provide a more detailed listing on our website. The components or formats that you choose should again be as numerous as possible, so that you can provide both the maximum exposures possible, in the most formats as possible. This provides the greatest opportunity to reinforce the desired behaviors, as well as addressing people in the formats that they are most receptive to.
Security Awareness is about creating a strong security culture. Such a culture saves organizations money by reducing the number of security incidents. That is not easy to accomplish and goes well beyond having people watch a video or teaching them not to open an e-mail.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.