There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture -- in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks. Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.
Yet we periodically see the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly.
While we previously spoke about the aspects of what makes security awareness programs successful, it is also important to proactively realize what might cause programs to fail. Even if you attempt to implement good practices, you have to ensure that you are not executing practices that subvert your program before you start. In this article, we address those practices that you should watch out for proactively to prevent failure. In this case, failure generally translates to major losses.
Not understanding what security awareness really is
This is probably the most fundamental reason for the failure of most awareness programs. There is a basic lack of understanding in industry as to what security awareness actually is. There is a major difference between security awareness programs and security training. Training is about providing a set body of knowledge and typically tests for short-term comprehension. Watching the standard "awareness" video is an example of such training.
The primary purpose of security awareness is to change behavior. There is no test of short-term comprehension. The only "test" is how a person behaves on an ongoing basis in the real world.
The mere act of providing a set body of knowledge does not change behavior. Information must be provided in a way that relates to how employees think and behave. There must be a personal association of how the knowledge would impact their actions. There is also a difference in providing an individual information on a one time basis, and delivering information in different formats over the course of time to effect change.
In short though, it is rare for an organization to actually understand and implement a program that intends to actively engage the employee with the sole purpose of striving for a better security culture.
Reliance on checking the box
Any good CSO will tell you that compliance is just a start for any security program. Security compliance standards do not guarantee security in any way; they just provide a minimum level of security countermeasures. Candidly, most compliance standards do not provide reasonable security, and it is especially true regarding security awareness.
Sign up for CIO Asia eNewsletters.