Information Security Awareness – Down, But Not Out – by Salvatore C. Paladino

For years there has been a persistent and spirited debate regarding the effectiveness of information security awareness programs and whether or not they should be utilized within the enterprise.  Proponents of such campaigns cite the relative low cost of proactive training versus the high cost of incident response and post-incident remediation efforts, while dissenters often proclaim the unwillingness of employees to actively participate in the information security process or the near impossible task of keeping programs current to address a rapidly evolving and dynamic cyberthreat. 

A few months back, Dave Aitel posted an article titled Why you shouldn’t train employees for security awareness, offering several fair criticisms of awareness programs and essentially making the case that such programs are almost always ineffective and therefore not worth the investment.  While I agree with many of the points brought up such as the alarmingly high rate of cyber victimization among workers (even after education) and the relative success technical controls boast in compensating for human error, I believe the failures of awareness programs are a result of common implementation pitfalls and not inherently characteristic of information security awareness as a concept.  Hence, I am unwilling to decry awareness training as a cost-effective and useful tool with a rightful place in any security executive’s bag of tricks.  Instead, I offer a handful of reasons why information security awareness programs fail, none of which I believe are uncorrectable, and some of which complement the innovative notions set forth by Joe Ferrara in his article 10 commandments for effective security training.

Real-world exercises are absent or insufficient

Information security awareness programs often have a solid educational component, but lack exercises to effectively test the employees’ ability to retain information or recognize the real threat.  Other programs include such exercises, but ‘dumb them down’ or fail to include those individuals who serve as higher value targets to adversaries.  For instance, if conducting a mock phishing exercise, it is the first instinct of many experts to make the phish easy to recognize and to avoid sending it to upper management.  The justification is that the former will yield positive performance metrics and provide management a warm and fuzzy, while the latter will avoid making waves among C-levels.  In both cases, the purpose of the exercise (to train and prepare) is largely lost.

Training points to processes that are immature or unreliable

Many programs make a concerted push to inform employees of process changes and foster compliance with new requirements (e.g. report incidents to someone else, begin logging off on this day and time to receive updates).  The problem lies in that often times the employee is exposed to the awareness material before the process is broadly implemented, tested, and mature.  The result might be an employee following instructions, only to find out that the person on the other end of a call is unaware of their responsibilities or a technical staff member fails to follow-up on a report or follow through with a process.  These incidents harm the credibility of the program, and can propel participants into a permanent state of resistance.

Content is either not customized or it’s excessively customized for the enterprise

Content should strike a balance between the general and the specific as well as the practical and the conceptual.  Far too often, security awareness programs are based around general threats that fail to hit home with the intended audience.  This may simply be because little is known about the specific threats facing the organization.  In other cases, specific incidents and internal metrics serve as the only input to the development of awareness materials, resulting in training that is insufficient in addressing organizational change.  As a general rule of thumb, awareness programs should adhere to a three-tiered model.  One third of the content should be based around general information security practice, one third is based around industry or sector-specific standards or threats, and the last third is based around the organization’s posture and the targeted threats it faces. 

Format and delivery are not adequately diverse

The best programs contain a diverse set of awareness materials including print, email, and web-based content as well as face-to-face interaction with employees, the last being the most often overlooked component due to the cost of time and travel.  The fact is that employees learn in different ways and will seek out their desired format.  If it’s not available, then they simply won’t buy in to the program.  If it’s not communicated persistently and frequently, they will ignore it. Further, opportunities to provide both physical and electronic takeaways such as desktop wallpapers, corporate merchandise and prizes, or even candy will foster participation among those who might typically ignore infrequent messages regardless of their purpose.

Material is one size fits all or lacks a personal element

Every role within an organization holds a different set of responsibilities, and information security awareness material should reflect that.  If your IT director and the mailroom clerk receive the same training, then it’s likely at least one of them is getting little to no value from it.  Content should be driven by the employees’ role, their security know-how, their exposure to technology, and the level of privileges they are granted in the course of their duties.  Enterprises often lack specialized awareness material for those with administrator privileges on their desktop, or those that carry mobile devices or smartphones.  Awareness material should address individual activities, particularly those that are considered to be high-risk.   Further, as pointed out by Audrey Agle in Seven practical ideas for security awareness, personal engagement is paramount.  It is likely that most employees have home networks, wireless devices, children using the Internet, or engage in personal banking or investing using the web.  Provide them with tips to keep them and their kids safe – it will encourage participation and buy-in, and will garner their appreciation and support for the program.

Sample sizes are insufficient or do not represent the organization

Obtaining quantifiable data and gauging employee performance is critical.  Unfortunately, generating an awareness metric for every employee in a large enterprise is at best costly, and at worst impossible.  As a result, experts frequently rely on sample sets to assess performance.  These samples can skew results on multiple fronts, the first being size.  There are statistical measures that will help you formulate an appropriate sample size for exercises, surveys, and the distribution of awareness materials. Another pitfall is a sample that does not reflect the organization as a whole.  This can result from oversampling certain business units or employee roles, or better yet sampling only English-speaking employees in order to cut the costs of translating awareness training and broadening metrics gathering.   The solution – make certain that samples are constructed at random, and that everyone has an equal likelihood of both receiving material and being used as a performance metric.

Communications are not championed and compliance is not enforced

Most people recognize the need to champion a cause from the top down in order for it to be effective.  Regardless, security awareness materials are often relegated to the ‘back page’ of company training portfolios and upper management is noticeably absent from security awareness communications.  Further, the absence of management from the program makes it difficult to enforce information security policy violations and instances of non-compliance.  This is particularly true as change is introduced and new processes are rolled out.  The fact is in order to be effective, employees must be exposed to real consequences for ignoring, resisting, or rejecting awareness materials and content.  I once had an executive suggest that bonuses be withheld from those employees who failed to complete training.  While that type of Draconian technique might keep human resources and legal personnel up at night, there are lighter alternatives such as refusing to issue devices until training is complete, temporarily revoking administrator privileges, or notifying supervisors and next level managers until someone takes notice.    

Past incidents are ignored for the sake of confidentiality

Corporate fears of bad press, declining stock prices, and a loss of goodwill or consumer confidence are certainly warranted and well placed.  As a result, executives do everything they possibly can to prevent potentially damaging information surrounding security breaches and/or incidents from making their way to the public.  This often means that past incidents become taboo and are not discussed in any form, particularly awareness materials.  This has a detrimental effect on security as the most teachable moments are lost in the ether.  A more constructive (and still safe) approach is to sterilize the information associated with an incident and use it to train employees to recognize the actual threat.  How does one do this without divulging damaging information?  Simple – keep the discussion focused on the attack vector, not the result of the incursion.  Rather than discuss technical vulnerabilities and IT response measures, identify only the component where employee action (or inaction) would result in a positive outcome. 

Outside vendors are used ineffectively

Enterprises may look to outside vendors to support their security awareness campaigns or formulate exercises to test employee knowledge and preparedness.  Sometimes, this can be beneficial, as outside vendors tend to have specialized expertise and can provide an unbiased, independent perspective about your security posture.  However, often times specific requirements are not discussed beforehand, resulting in a boilerplate program that does not yield much needed metrics and falls well short of being customized to your organization, industry, and risk appetite.  Avoid wasting time and money by identifying clear objectives prior to the work being done.  Further, be weary of relinquishing total control of content development and the execution of training exercises to an outside vendor.  Instead, leverage a blend of outside experts with internal personnel who are intimately familiar with your environment and the type of metrics upper management demands.   

About the Author

Salvatore C. Paladino is a Cyber Security Analyst and Project Manager with a large defense contractor in support of the Department of Homeland Security and the Department of Defense. His areas of expertise include technology evaluation, transition, and deployment, information security policy development, information assurance training and awareness, and the identification of emerging cyberthreats. He has authored numerous technical papers and has testified before the New York State Commission of Investigation as an expert witness specializing in cybersecurity.

Mr. Paladino holds a BS with a concentration in Computer Security from Utica College of Syracuse University and an MBA in Technology Management from the State University of New York. In addition to being certified in Risk and Information Systems Control (CRISC) and a Certified Information Systems Security Professional (CISSP), he is a CompTIA Network+, Security+, A+ and CTT+ Certified Professional. He is also an Adjunct Instructor of Cybersecurity in the School of Business and Justice Studies at Utica College.

Sal can be reached for comment at salpaladino21@yahoo.com.