If you have a functional program running and want to enhance it, I recommend turning to the chapters on gamification (see Chapter 11), running phishing simulations (see Chapter 12), or metrics (see Chapter 8). Otherwise, you can skim the chapters to see which one is the most relevant to your immediate needs. You may prefer, of course, to follow the flow of the book and read from front to back.
Part 1
Getting to Know Security Awareness
IN THIS PART …
See what makes security awareness work.
Avoid the pitfalls that cause security awareness programs to fail.
Get the most from what science shows about human behavior.
Chapter 1
Knowing How Security Awareness Programs Work
IN THIS CHAPTER
Recognizing the importance of security awareness
Working with a security awareness program
Knowing where awareness fits within a security program
Getting why the so-called “human firewall” doesn’t work
A successful security awareness program motivates people to behave according to defined practices that decrease risk. Creating a program that successfully changes behavior throughout an organization involves more than simply communicating a bunch of facts about security awareness. Just because people are aware of a problem doesn’t mean they will act on their awareness. In other words, awareness doesn’t guarantee action. (Everyone knows that fast food isn’t the healthiest choice, but most people still eat it.) This chapter sets the foundation for understanding the issues and the solutions.
Understanding the Benefits of Security Awareness
The thinking behind security awareness is that if people are aware of a problem, they’re less likely to contribute to the problem — and more likely to respond appropriately when they encounter it.
Users who are aware don’t pick up USB drives on the street and insert them into their work computers. They’re aware of their surroundings and ensure that nobody is looking over their shoulders while they’re working. They don’t connect to insecure Wi-Fi networks. They’re less likely to fall victim to phishing attacks. Essentially, users who are aware don’t initiate losses for their organizations.
Organizations typically create security awareness programs to ensure that their employees, or users, are aware of cybersecurity problems that are already known to the organization. Phishing messages, which I cover in the next section, represent the most prolific attack against users.
Reducing losses from phishing attacks
Phishing attacks are common enough these days that many people are already familiar with the term. A working definition is “an email message that intends to trick a user into taking an action that is against the user’s interests.” A phishing awareness program would ideally train people to properly determine how to handle incoming emails in a way that reduces the likelihood of loss. For example, if a message asks for the disclosure of information, the ideal situation is that a user knows what information they can disclose and to whom while also determining whether the sender is valid. Chapter 6 discusses this topic in more detail.
To appreciate the losses that a phishing attack can cause, consider these prominent attacks:
Sony: The infamous 2014 Sony hack, which was reportedly perpetrated by North Korea, began with a phishing attack. The hack resulted in the leak of information about movies, the movies themselves, and embarrassing emails. Sony reported costs of the hack to be $35 million.
Target: The 2013 Target hack, which compromised more than 110 million credit card numbers and consumer records, began with a phishing attack of a Target vendor. Target reported the resulting costs to be $162 million.
OPM: The attack on the Office of Personnel Management (OPM), discovered in 2014, which compromised the security clearance files of 20 million US government employees and contractors, began with a phishing attack against a government contractor. The costs and losses are immeasurable because this attack is considered a major intelligence success for China, the perpetrator of the attack named by the US government.
Colonial Pipeline: The Colonial Pipeline ransomware attack in 2021 began with a phishing message that captured user credentials and allowed the criminals to establish a sustained presence on the network. This allowed the criminals to find the most critical systems and eventually install the ransomware, which caused Colonial Pipeline to shut down the pipeline, halting a primary oil delivery to the US east coast. Colonial Pipeline paid the criminals approximately $4.4 million, but the actual costs resulting from the shutdown were tens of millions of dollars to Colonial Pipeline and an incalculable cost to the economy.
The Verizon Enterprises Solutions’ Data Breach Investigations Report, commonly referred to as the DBIR, is one of the most often cited studies in the cybersecurity field. The report, which is produced annually, is drawn from data collected directly by Verizon’s managed security service. The DBIR, considered a reliable overview of real-life attacks against organizations around the world, indicates that more than a whopping 85 percent of all major attacks begin by targeting users. You can access the report at
www.verizon.com/business/resources/reports/dbir
.
Reducing losses by reducing risk
Just as people get themselves into automobile accidents despite advances in automobile safety, even reasonably aware users may fall victim to cybersecurity attacks. All cybersecurity countermeasures will eventually fail. Countermeasures include encryption, passwords, antivirus software, multifactor authentication, and more. Perfect security doesn’t exist. Your goal in establishing a security awareness program is to reduce risk by influencing user actions.
Don’t expect users to be perfect — risk reduction isn’t about eliminating risk altogether, which is impossible. Expect your security awareness program to reduce the number and severity of incidents,