A metric demonstrating that you’re changing behaviors in a way that reduces loss, or preferably improves efficiency and makes the organization money, is the most useful metric to show that you’re producing value. This isn’t to say that it’s the only possible benefit of a security awareness program. Awareness programs also often provide intangible benefits to the organization. These benefits include protecting the organization from damage to its reputation, illustrating that the organization is committed to security, generating excitement and engagement among employees, and reassuring customers that your organization is actively protecting them.
GETTING THE BUDGET YOU NEED
I developed a philosophy during my career in cybersecurity:
You don’t get the budget you need — you get the budget you deserve.
Security awareness teams typically compete against other teams for budget funds and other resources. For example, the team may work under the cybersecurity, human resources (HR), compliance, legal, physical security, or another department within the organization. All these teams compete for funding and other resources. Even if your cybersecurity program has sufficient resources to fully fund all teams, including the awareness program, you have to show that you deserve the budget amount you’re requesting. You need to financially justify your efforts.
You can have plans for the best awareness program in the industry, but if you cannot demonstrate that you deserve the appropriate budget, you won’t get the budget you need to implement it. Chapter 8 details how to collect metrics that help you show that you deserve what you need.
Showing users how to “do things right”
For your awareness program to help create desired behaviors, the program must show people the proper way to perform job tasks, or “do things right.” In other words, you provide instructions on how to do things properly by default.
When you consider most of the materials produced by vendors, and a great deal of the materials produced by organizations for internal use, these materials frequently focus on the fact that “bad people” intend to trick you. They tell you about criminals who will do harm if you fall for their tricks. This information can provide motivation, which can be worthwhile, but it’s doesn’t show users how to recognize suspicious situations as they encounter them.
When you teach people to focus on the ways bad people will exploit them, the training will fail when the bad people try a different trick. Expecting users to combat well-resourced, highly skilled criminals is a losing proposition. You cannot expect users to be consistently effective in thwarting such parties.
The better approach is for your awareness training to focus on the way that users can do their jobs properly. Ensure that users have an established process that they’re familiar with and that they know how to follow. The process should account for the potential of bad people trying to game the system.
I once worked with a large online gaming company that had problems with criminals calling up the support desk to dupe the support personnel into changing the passwords on specific accounts so that the criminals could go into the accounts and sell the assets. I created a decision tree to authenticate callers. As long as the support personnel followed the provided guidance, no accounts were compromised and no one had to train the support personnel to handle each and every possible scenario that bad people would try. It didn’t matter. We just told them the one way to do their job properly.
Though this strategy may not be feasible in every case, for every job function, your awareness efforts should generally focus on providing guidance in how people should do their jobs properly. This requires embedding security within job functions.
In many cases, you may find detailed procedures already defined but not well known or practiced. In this case, your job is to find those procedures and figure out how best to translate them into practice.
Recognizing the Role of Awareness within a Security Program
Awareness isn’t a stand-alone program that the security team uses to deal with the user problem, as it’s commonly called. Security awareness is a tactic, not a strategy, used to deal with the user problem.
As I cover in the earlier section “Reducing losses from phishing attacks,” for a phishing attack to exploit your organization, your system first has to receive the email message on your server. Your system then has to process the message and present it to the user. The user has to review the message and decide how to act on the message. If the message contains malware, the system has to allow the malware to install and execute. If the message sends the user to a malicious link, the system has to allow the user to reach the malicious web server. If the user gives up their credentials on a malicious web server, the system then has to allow the malicious party to log in from anywhere in the world.
When a phishing attack succeeds, the user action is just one link in a fairly involved chain that requires failure throughout the entire chain. This statement is true for just about any user action, whether it involves technology or not.
Here are several concepts to consider:
The user is not the weakest link.
Awareness addresses one vulnerability among many.
The user experience can lead the user to make better decisions — or avoid making a decision in the first place.
Most importantly, to stop the problem, you have to engage and coordinate with other disciplines. See Chapter 5.
Dealing with user-initiated loss (after all, the actions can be either unintentional or malicious) requires a comprehensive strategy to deal with not just the user action but also whatever enables the user to be in the position to create a loss and then to have the loss realized. You can’t blame a user for what is typically, again, a complex set of failures.
Though it’s true that, as an awareness professional, you can just do your job and operate in a vacuum, doing so inevitably leads to failure. It goes against the argument that you deserve more. This doesn’t mean that the failure wouldn’t happen even if everyone cooperated, but operating in a vacuum sends the wrong message.
The security awareness program isn’t the sole effort responsible for mitigating user error. If you say nothing to oppose this idea, you give the impression that you agree with it. Worse, you give the impression that users are responsible for any loss resulting from harmful actions that you already anticipate they will eventually make, such as clicking on a phishing link or accidentally deleting a file.
You have a responsibility to reduce risk by encouraging secure behaviors. But you’re also part of a team and you should