Though behaviors may be related to an individual’s motivation and abilities, you can analyze the behavior at a macro level to identify how to improve the overall motivation and abilities of individuals. You can then decide on ways to improve prompting as well.
The Forgetting Curve
The Forgetting Curve, shown in Figure 3-3, describes the rate at which individuals forget information when it isn’t reinforced in memory. Suppose that I introduce you to someone, for example — the longer you go without being reminded of the person’s name, the less likely you are to remember it.
FIGURE 3-3: The Forgetting Curve.
Security awareness programs naturally rely on users’ retaining information, much of which may be new to them. Suppose that you show people a three-minute video and then administer a three-question quiz on the content of your program. If users have no reason to recall that content beyond the training session, their ability to recall the information declines quickly, until eventually they forget the information altogether. Fortunately, you can offset users’ memory decline by building a reinforcement strategy into your program.
This list describes some ways you can try to “interrupt” the Forgetting Curve and slow the rate of forgetting among users:
Reminders: Provide periodic reminders to refresh and enhance users’ knowledge. These can be posters, mouse pads, or any other “nudge” item that provides a frequent trigger for the information.
Significance of information: Convey the significance of the information you share in your communications. If users assign significance to what you’re saying, they may automatically (like magic!) embed the information into long-term memory. This can include describing significant harm experienced, or, potentially, penalties for violating the procedures described.
Memorable presentations: Present information in memorable ways, such as by using humor, outside speakers, or unique formats.
Show connections: Tie the information to other memorable lessons, such as relating a past incident to how the application of your information could have prevented it.
Remembering That It’s All About Risk
When I speak at various events, I sometimes ask my audience, “Who is a security professional?” Of course, everyone raises their hand, and I reply, “You are all failures.”
I go on to explain that the dictionary definition of security is being “free from risk,” and you can never be free from risk. Therefore, you will always fail when your stated goal is security. Supposed “security” professionals are charged with risk management, or determining risk and then mitigating that risk as long as mitigating the risk isn’t more expensive than the risk being realized.
Risk can have different meanings in different professions. As I advocate throughout this book about the need to deliver and demonstrate risk reduction, the remainder of this section defines what I mean by risk reduction in a way that you should be able to share with others — especially those people whom you report to or need to show your return on investment.
Optimizing risk
When you create a security awareness program, you want to create the most risk reduction while using the least resources. To optimize your efforts, make it your goal to influence as many people as possible, but don’t expect to influence everyone. You can potentially influence everyone, but that means dealing with everyone individually, and unless you’re in a very small organization, this approach is impractical and too expensive. From a practical perspective, if you spend more on your awareness program than you save through your efforts, your program will be a hard sell to management.
To discuss risk, you need to have a working definition of risk that you can use to step your organization through the costs and the expected rewards. This should also include the definition of exactly what is at risk. The following sections should help with the process.
The risk formula
Risk is what your organization has to lose. Depending on your industry, risk can be a probability or a value.
To better understand how risk is defined, consider the visual relationship shown in the structure of the following formula, which I call the risk formula.
As shown in the formula, Risk is the value you have to lose times the probability that loss will occur — which makes intuitive sense. For example, if your organization has a value of $100 million and the probability of loss is 75 percent, your risk is $75 million.
Value is essentially what you have to lose. The probability that you will lose that value is a function of your Threats combined with the Vulnerabilities that allow the Threats to exploit you. If you have no threat, you have no risk. If you have no vulnerabilities, you have no risk. The reality is that you always have threats and vulnerabilities, so unless you have no value, which is inconceivable, you have risk.
When you consider the formula, the only thing offsetting your risk are Countermeasures. Your countermeasures mitigate threats. You won’t mitigate value, because you don’t want your security program decreasing the value of your organization.
Value
Value is what your organization considers an asset. It can be a monetary asset, a reputational value, an intangible value (such as morale), or an operational efficiency, for example. It doesn’t have to equate to money specifically, but there will be a distinct asset that your organization wants to protect.
From an awareness perspective, you have to ensure that you clearly identify your organization’s assets so that your user population knows what they need to protect. This is one of the motivations to promote to your users to encourage them to more likely enact behaviors.
Threat
Threat is essentially the Who or What that can cause harm, if given the opportunity. Most people think of threats as malicious people. They are clearly threats. However, your awareness program is useful only if you believe that providing guidance to well-meaning users is valuable. And it is valuable, as well-meaning users are a more prominent threat. These people lack malicious intent but take actions that are nonetheless harmful because of ignorance, carelessness, or human error, all of which can be reduced by way of awareness. Well-meaning users cause exponentially more loss in aggregate than the malicious actors. The incidents can be significant, but more frequently the losses involve many small-but-frequent incidents that add up. For example, compromised credentials and lost devices