Also, a more aware user knows when something seems wrong and knows how to react to it. If your users sense that they might have been compromised, they start taking actions to mitigate the loss. If they accidentally email sensitive data to the wrong person, they try to stop the message or have it deleted. If they end up on a malicious website that starts serving adware, they disconnect before additional damage can occur. They know how to properly report any and all potential incidents, so your organization can begin to stop any loss or damage in progress. In the worst case, at least they can launch an investigation after the fact to find out what happened.
In the ideal situation, even when a user takes no potentially harmful action, they report the situation to the appropriate party. They report details such as whether someone tried to follow them through a door, even if they turn the person away, because they know that the person might attempt to enter through another door or follow someone else through the door. If someone detects a phishing message, they don’t click on it — instead, they report the message because they realize that other, less aware users may click on it, and then the administrators can delete the message before that happens.
As you can see, awareness requires more than knowing what to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.
The goal for awareness is for users to behave according to policies and procedures. Part of the function of an awareness program is making users aware that bad guys exist and that those bad guys will attempt to do bad things. But awareness programs primarily focus on making people aware of how to behave according to procedures in potentially risky situations.
Grasping how users initiate loss
At a cybersecurity conference where I spoke, I was in a buffet line at lunchtime. At one table that the line passed, I saw some stickers that said, Don’t Click On Sh*t! The person in front of me was an administrator, and he grabbed a handful of stickers while saying, “I need a lot of these to give to my users.” I then replied, “You must give your users a lot of ‘sh*t’ to click on.”
The guy was confused and asked what I meant. I replied that the users would have no items to avoid clicking on if the systems he supported didn’t pass the messages to the users. I then added that if he knows users will click on problematic items, he should be taking active measures to stop the inevitable damage. He was confused, but of course kept the stickers.
For more information on user-initiated loss, find a copy of my book, written with Dr. Tracy Celaya Brown, You Can Stop Stupid: Stopping Losses from Accidental and Malicious Actions (Wiley, 2021).
Users can cause only the amount of damage they’re put in the position to cause — and then allowed to carry out. However, even after they make a potentially damaging mistake, or even if they’re blatantly malicious, it doesn’t mean that the system should allow the loss to be realized.
For example, a user can click on a phishing message only if the antiphishing technology used by your organization fails to filter the message. If the user clicks on a phishing message and ransomware is activated, the ransomware can destroy the system only if the user has permission to install software on the system — and then in almost all cases, you have no standard antimalware on the system.
User error is a symptom of the problems with your system. Even if a user makes a mistake, or is even malicious, the resulting loss is a problem with the system providing users with potential actions and then enabling the loss.
In essence, users may initiate a chain of actions that create the loss, but the loss is a result of failings in the system as a whole.
Knowing How Security Awareness Programs Work
Unfortunately, there is little consistency in what is perceived to be a sufficient, organizational security awareness program. Some organizations just have users, or employees, sign a document. Many other awareness programs require employees to read the document once a year (or, increasingly, watch a video).
At the other end of the spectrum, when I started at the National Security Agency (NSA), my security awareness training actually began long before I started working there. After I passed the initial aptitude test, I was sent information to arrange for an interview. During that interview was a conversation about the special security considerations of working for the NSA. I was prepared for what would be involved in obtaining a top secret clearance, as well as the need not to discuss my potential employment. I was then invited to visit the NSA headquarters for further interviews.
My travel packet included a basic discussion of security requirements. Upon arrival, I was provided with another security briefing related to how to get into, and then behave within, the facilities. I met with counterintelligence officers, who provided a general overview of security requirements and then administered a polygraph exam. I also took a battery of psychological tests. During the technical interviews, I met with professionals who also discussed the job expectations, including the expected security-related behaviors. The NSA is a special case, of course — most organizations don’t engage in such rigorous screening practices.
The goal of a security awareness program is to improve security-related behaviors. The goal is not to simply make people aware of an issue — the goal is to inspire people to behave appropriately to avoid the initiation of a loss and, ideally, to detect and respond to the potential for loss. Whether people understand how their actions promote security is secondary because the goal of an awareness program is to change behaviors, not just impart knowledge.
When I started working at the NSA, I took a 3-day security awareness class. Security awareness posters were hung on walls all over the buildings. Applicants received security newsletters and attended regular security-related presentations. These awareness tools were generally unnecessary, however. All I had to do to see how to behave was behave like everyone else. Everyone wore their badges, so I wore my badge. Everyone lined up to have their belongings inspected on the way out of the buildings. In essence, the entire culture was the awareness program. People lost their jobs because of security violations. I am not saying the NSA was perfect, because it clearly had some major failings, but for all the potential risk, the NSA experienced relatively little loss.
Clearly, few organizations in the world have the type of awareness program that the NSA has. Unlike organizations that prioritize profits, branding, and other deliverables, the NSA focuses on security. Security is the NSA brand.
A good security awareness program intends to change and improve security-related behaviors. You can incorporate many tools into an awareness plan to create that change. Chapter 7 defines a variety of tools that you can incorporate into your program. Some tools are more popular than others; however, no tool is absolutely required. The choice depends on your needs. At the end of the day, a security awareness program is essentially a set of tools, techniques, and measurements intended to improve security-related behaviors.
Establishing and measuring goals
The ultimate goal of a security awareness program is to change and improve security-related behaviors. Security programs are created to reduce loss. As an essential part of an organization’s overall information security program, security awareness should likewise reduce loss.
In Chapter 8, I discuss some metrics you can use to