In Chapter 8, I show how you can justify your efforts, even to a tough Check-the-Box crowd, by using metrics to demonstrate the value of your efforts to your organization.
Treating Compliance as a Must
Security awareness programs fail when they treat security as a should-do task and not as a must-do task. Security becomes a mere should-do task when programs seek to influence people to behave securely. These programs attempt to influence users to do the right thing by providing them with more information. Security becomes a must-do item only when users appreciate the consequences of their failings.
Consider awareness programs for sexual harassment, financial compliance, and similar issues. These programs don’t try to influence people to do the right thing — they inform users of their job requirements and the consequences of failing to meet those requirements. Failing to meet financial compliance requirements (such as properly filling out time cards, for example) can result in employees not being paid.
Compliance with a security awareness program that can prevent company operations from grinding to a standstill from a ruined computer network is something that, similarly, must be treated as, well, a must-do task. Security behaviors should be embedded within all business practices — not just added to the process. For example, when you’re authenticating a user for a system, the security checks should be, not an addition to, but rather an embedded step within the overall practice. It isn’t a separate function.
Ruining the company computer network typically has far-reaching implications that are difficult to recover from. Yet desired cybersecurity practices continue to be treated as a should-do task. If you want your awareness message to be conveyed and followed, you need to portray your message as a must-do task. In other words, proper security-related behaviors aren’t optional — they’re required, just like all other business functions. Let me be clear: I am not saying that you personally should make the behaviors a must; good security practices are likely an organizational mandate.Motivating users to take action
Awareness professionals naturally want to believe that if they inform a person about an obvious concern, that person will take appropriate action, just by virtue of having received the information. In my experience, this assumption too often proves incorrect. Gaining compliance requires much more effort than simply relaying information. You need a detailed strategy, specific to your circumstances, that involves enforcement and creating a culture where everyone implements the expected behavior by second nature as part of their normal job function. (I discuss these strategies in detail in Part 2 of this book.)
Consider how this dynamic plays out in the rest of your life. Most people know that eating healthy foods and exercising can improve their health. In some cases, they even know that they can face dire medical consequences if they refuse to eat well. Yet they continue to ignore the advice. Relating this example to security awareness, the trick is to ask people to do a few simple things differently that will reduce an organization’s risk profile hugely and quickly, not make them into security experts.
BJ Fogg, a Stanford University researcher, developed many highly accepted concepts of human behavior. One of those behavioral concepts is the information-action fallacy, which is the belief that if you tell a person what they should do, why they should do it, and how it directly benefits them, they will do it. Just as this strategy doesn’t work in fitness, neither does it work with security awareness, where the implications are less dire for the individual.
When you implement your awareness program, you must dispel any belief on the part of yourself and the security team that, just because you inform people of an apparently critical issue, they will follow your guidance.
Working within the compliance budget
The compliance budget concept highlights how employees at work have a variety of requirements placed on them and their time. They have to balance how much time they use to satisfy various required tasks. The compliance budget accepts that users may well understand the importance of good security practices. It also acknowledges that users may consider other concerns to be equally or more critical. The more embedded security practices are within a job function, the more likely the practices will be implemented.
For example, if a user is running late to a critical client meeting, even if they know that securing the workspace is important, will they run even more late to the meeting to secure their computer and lock away sensitive documents? How do they determine which correct action takes priority? If you portray the security practices in your awareness program as a should-do item, you allow the user to ignore your guidance in favor of more apparently pressing issues. If your guidance is defined as a must-do item, however, it’s much more likely to be followed and implemented.
Users are typically balancing a variety of concerns, both personal and work related, and you need to consider how you’re presenting your materials with regard to positioning security awareness, among all the other daily concerns across their work and personal lives. This is where nudges and other properly placed security reminders, as discussed in Chapter 7, can have an impact on diligent users.
Limiting the Popular Awareness Theories
This section is probably the most controversial one in this book, as I take on a lot of popular concepts that I consider specious. When I read articles written by seemingly well-meaning security awareness experts, I see them quote scientific studies on psychology and marketing, among other areas, and I hear terms like mental models thrown around. These studies present ideas that seem important, but at the end of the day, I consider these ideas not practical to improve behaviors across an entire organization. I’m not saying that they’re irrelevant, but the focus on these sciences appears to be misplaced (as I discuss in the next section).
Applying psychology to a diverse user base
Yes, psychology can be a useful subject, and it defines the personality types of various people. At one level, by understanding various personality types, you should be able to understand the diverse thinking among your target audience. However, to properly implement psychology as a science as a fundamental part of your awareness program, it involves developing awareness targeted to individual personality types.
Consider that there is no single form of psychology. Consider that a psychologist works with each individual in a way that satisfies that person’s individual needs. Just as some techniques work better than others for various types of psychological problems and personalities, it’s the same for awareness.
IF YOU SEE SOMETHING, SAY SOMETHING
The title of this sidebar represents one of the most effective counterterrorism campaigns ever, used by US authorities to encourage people to report suspicions that might be associated with terrorism. At the same time, if you consider this campaign, it represents why awareness