As a security awareness professional, you can be the tip of the spear in coordinating a comprehensive solution to reducing user-related losses. Your primary focus is to create behavioral improvements that reduce the initiation of losses.
Disputing the Myth of the Human Firewall
The section heading might anger a lot of security awareness professionals, but I see the idea of the human firewall as a dangerous myth. The idea that users are your last line of defense (which is a catchphrase for many phishing simulation companies) is fundamentally wrong.
First, consider that users are not the last line of defense in any practical way. For example, if a user clicks on ransomware, the user environment can stop the user from downloading malware by not giving the user permission to install software. Even if the software is downloaded and installed, antimalware can stop the ransomware. To accept that the user is the last line of defense, you have to discount many useful technologies that are commonplace in organizations.
Michael Landewe, the CTO of Avanan, said it best:
If a user is our last line of defense, we have failed as an industry.
Regarding the claim of creating a human firewall, in principle it sounds great, but any security professional knows that even technical firewalls will fail. Users are less reliable than technology. Creating a human firewall implies that you will create an entire organization of users who always behave appropriately and securely. That isn’t possible, however. Though humans can consistently behave well, no individual (and especially no group of humans) in the history of mankind has always exhibited error-free behaviors.
Consider also that although other technologies do only what they’re instructed to do, humans can have malicious intent. If you leave your users as your last line of defense and they’re malicious, the results will be disastrous.
I want you to create the best security awareness programs possible, but you need to remember where you fit within the overall chain of actions. If you give the impression that the user has ultimate control of your systems, then the first time a user fails, you fail in your self-described mission, which can damage the credibility of your program. Consider that you don't even see people who manage firewalls imply that their firewalls will stop all attacks from getting in. If you spout off to management that you will create a human firewall to repel all attacks targeting humans, then the first time a user fails, your program has failed based on your statements. Everything else you do will be met with skepticism, including requests for budget funds, personnel, time, and other resources. Don’t set yourself up for failure from the start.
The reality is that most people don’t give users and security awareness programs enough credit. Every time a user avoids clicking on a phishing message, your awareness efforts are successful. Every time a user locks up sensitive information, your awareness efforts are successful. Every time a user protects their screen from shoulder surfers, your awareness efforts are successful. These successes happen all the time.
Your users are a critical part of your organization’s system, and your efforts can significantly reduce loss. Aware users have helped organizations avoid disaster. I have personally been involved with users who have thwarted major attacks. Even when attacks have been reported after the fact, aware users responded appropriately, alerted the appropriate people, and significantly reduced the resulting loss.
The awareness programs you create can provide an immense return on investment. Just be sure that you set realistic expectations.
Chapter 2
Starting On the Right Foot: Avoiding What Doesn’t Work
IN THIS CHAPTER
Making compliance the goal — and nothing more
Failing to compel compliance
Overindulging in science with limited practical use
Mistaking social engineering skills for awareness expertise
Setting inappropriate expectations
Valuing products more than process
Buying into gimmicks that yield no results
Overestimating the role of security awareness
After working in the security awareness field for 30 years, I have learned the importance of knowing not only what works but also what doesn’t work. In the security awareness field, knowing what doesn’t work is almost more important than knowing what works.
This chapter helps you sidestep the problems I encountered throughout three decades spent working in security awareness. Your security awareness programs probably won’t be perfect from the start, but being aware of the red flags can definitely help you steer your program in the right direction.
Making a Case Beyond Compliance Standards
Checking the box means that an organization wants to meet compliance standards and nothing more. In this situation, you will have a harder time garnering budget and management support for your efforts. To create a security awareness program that changes employee behavior, however, you need to make your case — and prove that awareness provides a real return on investment.
CHECKING THE BOX MIGHT NOT BE JUST FOR AWARENESS
Sometimes the Check-the-Box mentality extends not just to the awareness program but also to the security program in general. One of my friends was hired as a CISO of a credit union. One of his first acts was to have me submit a proposal for a security assessment. The proposal met his budgetary needs and he submitted it for approval. He called me up a few weeks later to tell me that they would not be proceeding with the assessment, because his management team thought they had only $10 billion in assets and believed that criminals would never go after such a small financial organization. He went on to say that he found out that the only reason he was hired was that the auditors told the board they could not pass an audit without a CISO in charge of information security. It was no surprise when he left the organization three months later.
Clearly, an entire security program based on the principle of Check the Box presents a major threat to an organization, and, more importantly, to its customers. I use this example to highlight the point that, although an entire program being a Check-the-Box effort is a clear danger, treating any element of the program as a Check-the-Box effort represents a major risk to the entire program.
Though standards evolve, at the time of this writing, the major industry standards regarding security awareness are vague. For the most part, all they require is that an organization