Company leaders sometimes assume that technical workers, including security team members, have more common sense than the average users. In my experience, this assumption is often incorrect. A common tactic used by cyberthieves, for example, is to pretend to be another person, call an organization’s Help desk, and persuade an unwitting Help desk representative to reset that person’s password. As a test, I have personally convinced a Help desk rep within one of my targeted companies to send me a new computer during a social engineering exercise. During physical penetration tests, I frequently just walk into the security office and persuade the employees to issue me an actual facility badge.
Unless you know that a person in a given job function receives fundamental training that enables them to act on your guidance, you should assume that they lack the necessary common knowledge. This assumption should be embedded in every aspect of your awareness program, where you consider whether users have the underlying knowledge to enact the information you provide. You probably can’t include every basic concept into awareness materials, but you need to design your messaging to accommodate a lack of common knowledge.
If you need to provide more detailed information than you can provide in a given communications medium, you might want to link to or refer to a more detailed information source, such as the knowledgebase I describe in Chapter 7. This way, you can provide your intended message and ensure that common knowledge is available.
Borrowing Ideas from Safety Science
Perhaps one of the most valuable sciences an awareness professional can research is safety science. To put it simply, safety science intends to prevent workplace injuries. Workplace injuries create tangible loss to an organization. Organizations must deal with not only the immediate cost of treating the injury but also lost productivity, medical costs, potential lawsuits, legal penalties, regulatory penalties, increased insurance costs, and other losses. Depending on the industry, operations may cease if an injury occurs.
Clear costs are associated with workplace injuries, so specific cost savings are generally easy to attribute to efforts that prevent them. Extensive resources, with sponsorship from top executives, are understandably put toward safety efforts. There is also the potential for regulatory requirements to drive executives harder. Security awareness efforts, on the other hand, provide benefits that can be more difficult to measure. When a user makes an error related to security, they may not injure themselves, but they can definitely cause damage to the organization. So safety science has to be adopted to cybersecurity practices.
Recognizing incidents as system failures
A critical philosophy adopted in safety science says that if an employee injures themselves, it’s a failure of the entire system. The idea is that a user should never be in a position where they can injure themselves, and even if they are injured, the extent of the injury should be minimized.
Safety science identifies these three phases to an injury:
The environment that puts a user in a position where they can injure themselves
The action that creates the injury
The response to the injury
Safety experts first focus on creating a workplace that is less likely to cause an injury. For example, I spoke to the safety manager at a manufacturing company where I was creating an awareness program, who told me that the company had problems with forklifts hitting employees inside a warehouse. After studying a variety of alternatives, company leaders decided on the simple act of painting yellow lines down the aisles of the warehouse. Employees were to walk on one side, and forklifts were to stay on the other side. This strategy stopped approximately 90 percent of accidents involving forklifts.
Because you can never completely remove the possibility of injury, you must consider that users will be in a position to injure themselves. Safety science then studies the role of awareness, as well as what IT professionals call the user experience. If a user is operating a piece of equipment that is too big for them, for example, they can injure themselves. Likewise, if the user doesn’t know how to properly use the equipment, they can injure themselves. Even if the user does know what to do, they might not do it as intended.
As I discuss in Chapter 1, you have to work with other teams to create a resilient environment, and when you know your environment, you can train people how best to use it.
Just because a user is aware of what to do doesn’t mean that they will do it. They may not have mastered the information. They might know what to do and not have motivation to do it. They might want to implement the awareness information, but they might be in a rush and take shortcuts. For many reasons, even an aware user might not follow awareness guidance.
Responding to incidents
Even with the best awareness, someone will injure themselves. You therefore need to put in place an environment that expects an injury and attempts to reduce its severity. This includes ensuring that first aid kits are in place, along with properly trained first responders, the ability to shut down operations if required, and other procedures. This also includes a post mortem (a post-incident review) of the injury to examine how similar injuries can be prevented in the future.
The root of the problem is not that a user takes an unaware action but rather that the user actions create damage. Safety science looks at the process holistically.
Though someone should address safety problems in a cohesive way, awareness professionals seek only to create better implemented awareness programs. Understanding how your work as an awareness professional fits in with the overall loss reduction program is important. You can then work with the other security teams to coordinate your efforts and tailor your efforts to fit within their efforts.
Applying Accounting Practices to Security Awareness
A proper accounting program protects an organization from financial loss. Accountants study financial processes and determine where losses can occur and how to control them through processes.
In much the same way as safety scientists figure out how a person comes into the position of a potential injury and proactively tries to remove that potential, accountants try to put processes in place to proactively remove the opportunity for financial errors. This involves proactively tracking financial and tangible resources. It means that there is categorization of all resources. This is why there are so many annoying processes apparently in place in many businesses.
Likewise, a person has to endure many processes when they’re in the middle of a financial transaction, and follow detailed operational guidelines for how transactions are to be performed. For example, when I travel and have to file an expense report, I have to meet specific requirements for the level of documentation required. In some cases, I can just ask for a flat amount for all meals. In other organizations, I have to categorize every expense I want to be reimbursed for and then provide a receipt