As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing.
I have to admit that it is frustrating to have to argue with people who claim that awareness is always bad. They argue that since there will always be a single failing, then it is not worth the effort to have an awareness program in the first place. Of course, I vehemently disagree. However to debate people, and address their points, at least in the eyes of decision makers, you need to understand the foundation of their arguments and accept the premises that are true.
Three years ago, I wrote a similar article on awareness programs failings. In the last three years, I have reviewed dozens of other programs, investigated incidents, watched vendor marketing campaigns, listened to the hype, and heard about thousands of data breaches. While I try to refrain from repeating the same points, there may be some repetition, but there is refinement. I intend to bring about the points that are most relevant to the current state of what is an apparent poor state of awareness.
In the coming months, I will delve into some of these failings as separate articles, as they can be complicated subjects to address. For now, just consider that they do present specific issues that you might need to address.
This is probably the greatest deficiency in all awareness programs. Too many awareness programs focus on telling people what not to do. The fact of the matter is that awareness should focus on implementing good security related behaviors. These behaviors should be defined in formal procedures and guidelines. In other words, security awareness programs should be the promotion of behaviors defined in governance.
Security policies and procedures commonly sit on the shelves, except when auditors request to see them to ensure they exist. Whether people realize this or not, governance should ensure that a security program is not an accident, but a purposeful activity that is well defined. In short, a security awareness program should likewise be a purposeful activity.
Relying on fear
As opposed to the positive promotion of procedures and guidelines, many awareness efforts attempt to scare people. I assume the thought is that if people are scared, they will stop and think an action through. That is a gross mistake.
Sign up for CIO Asia eNewsletters.