Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

9 reasons why your security awareness programme sucks

Ira Winkler | June 6, 2016
The underlying problem is that security awareness programs are more difficult to implement than most security professionals want to acknowledge. Awareness is a separate discipline that requires the appropriate knowledge, skills, and abilities (KSA) to implement a program properly. Without those KSAs in place, nor even the knowledge that a specific set of KSAs exist, security awareness programs will continue to suck.

I remember being both horrified and amused when I spoke to a CIO, who was touting how great an awareness video was. His quote was, “I was scared to check my email after watching the training.” That is completely wrong.

Consider that checking email is a critical business function. People should never be “afraid” to perform a critical business function, but confident in performing it safely. While “motivation” is important to encourage people to behave appropriately, and a bit of fear can provide some motivation, fear can paralyze people. Also, it will eventually backfire, as when nothing happens after a period of time, it becomes the equivalent of “Crying wolf!”

The hacker mentality: Tell people not to do that

While somewhat similar to relying on fear, many awareness programs rely on telling people how a hacker hacked them, and then telling them not to fall victim to it. For example, they will tell you how a hacker asked for a password over the phone and then tell people that this is the reason they should not give out their password over the telephone.

I cannot overstate this fact; just because a person knows how to break something, it doesn’t mean they know how to fix it. For example, just because you can step on a light bulb and break it, it doesn’t mean you can then fix it. While this analogy applies to hacking computers as well, it especially applies to hacking people.

When you tell people specifically what not to do, with specific examples, if a hacker tries other tactics, they will likely be successful. For example, during a social engineering test, I called people and asked for their passwords. If the person didn’t disclose their password, because they were told not to give out their passwords, I walked them through modifying the Registry file in their computer.

Improving security awareness is infinitely more complicated than telling people what not to do. Again, it is about promoting behaviors dictated by governance. This requires integrating behavioral science principles. Marketing is much more akin to awareness than being a career technologist. A technologist can learn behavioral science, but they have to first acknowledge that understanding behavioral science is more important than understanding the underlying technology.

Failing to consider successes

Awareness failures can be devastating. However, awareness failings are relatively rare when you consider all of the actions that users take on a regular basis. Awareness successes are less noticeable, but they happen on a regular basis. Consider how many spams and other emails are not opened.

Every time a user takes the appropriate action, it is a success. Again, it is easy to focus on the failures, and they can be bad. However, when you look at awareness from a cost/benefit perspective, you do need to consider how bad things would be if all potential user failings did occur. No security countermeasure is perfect. Awareness is, like every other countermeasure, not perfect. However, unlike many technical tools, there are no records created for blocked attacks.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.