I remember being both horrified and amused when I spoke to a CIO, who was touting how great an awareness video was. His quote was, “I was scared to check my email after watching the training.” That is completely wrong.
Consider that checking email is a critical business function. People should never be “afraid” to perform a critical business function, but confident in performing it safely. While “motivation” is important to encourage people to behave appropriately, and a bit of fear can provide some motivation, fear can paralyze people. Also, it will eventually backfire, as when nothing happens after a period of time, it becomes the equivalent of “Crying wolf!”
The hacker mentality: Tell people not to do that
While somewhat similar to relying on fear, many awareness programs rely on telling people how a hacker hacked them, and then telling them not to fall victim to it. For example, they will tell you how a hacker asked for a password over the phone and then tell people that this is the reason they should not give out their password over the telephone.
I cannot overstate this fact; just because a person knows how to break something, it doesn’t mean they know how to fix it. For example, just because you can step on a light bulb and break it, it doesn’t mean you can then fix it. While this analogy applies to hacking computers as well, it especially applies to hacking people.
When you tell people specifically what not to do, with specific examples, if a hacker tries other tactics, they will likely be successful. For example, during a social engineering test, I called people and asked for their passwords. If the person didn’t disclose their password, because they were told not to give out their passwords, I walked them through modifying the Registry file in their computer.
Improving security awareness is infinitely more complicated than telling people what not to do. Again, it is about promoting behaviors dictated by governance. This requires integrating behavioral science principles. Marketing is much more akin to awareness than being a career technologist. A technologist can learn behavioral science, but they have to first acknowledge that understanding behavioral science is more important than understanding the underlying technology.
Failing to consider successes
Awareness failures can be devastating. However, awareness failings are relatively rare when you consider all of the actions that users take on a regular basis. Awareness successes are less noticeable, but they happen on a regular basis. Consider how many spams and other emails are not opened.
Every time a user takes the appropriate action, it is a success. Again, it is easy to focus on the failures, and they can be bad. However, when you look at awareness from a cost/benefit perspective, you do need to consider how bad things would be if all potential user failings did occur. No security countermeasure is perfect. Awareness is, like every other countermeasure, not perfect. However, unlike many technical tools, there are no records created for blocked attacks.
Sign up for CIO Asia eNewsletters.