Society is changing rapidly and organizations increasingly interconnect in order to keep up with customer demands. The increased use of the Internet to conduct business, the transition from paper to digital media, the increased use of social networks, and the cloud are creating new security risks to organizations. The human element; the 8 layer of security, our employees; are in the middle of it and contribute to significant security risks. In fact, according to the most recent Information Security Breaches Survey by PricewaterhouseCoopers and infosecurity Europe, 36% of the worst security breaches are caused by unintentional human errors. To combat these risks, which are further magnified with the increase in Advanced Persistent Threats, we need to create a security conscious culture within our organizations; one where employees are subconsciously considering risks and threats in their daily routines. One security control to help mitigate this risk and to help build a security conscious culture within our organizations is to implement a Security Awareness program.
A Security Awareness program provides three key benefits to organizations. First and foremost, it helps us facilitate behavioral change in order to mitigate unnecessary risks to the organization, it helps us comply with laws and regulations, and lastly, it helps reduce unexpected and unnecessary costs. Employees are often not aware of an organization’s security policies & procedures, their own security roles & responsibilities, and they are often not made aware of security risks, threats, or security best practices. This lack of knowledge causes unintentional risk to the organization, which must be mitigated to ensure the long-term success and survival of the organization; and to ensure the confidentiality, integrity, and availability of the organization’s data and systems. This is the problem we are trying to solve by implementing a Security Awareness program; however, this is also where the second problem arises. Only slightly more than half of large organizations are implementing a continuous Security Awareness program and, more often than not, they are unsuccessful in their implementation. This results in a Security Awareness program that does not meet its goal and thus do not properly mitigate the risks.
Factors that contribute to the problem
There are many factors that contribute to the problem. First and foremost, organizations often fail to identify the need and therefor many Security Awareness programs are designed and implemented merely to comply with laws and regulations rather than to manage risks and reduce unexpected costs. Second, many Security Awareness programs do not have support from senior or executive leadership. Management often do not see the benefits and the Return on Investment (ROI) of a Security Awareness program. Much of this could be contributed to the lack of metrics. As many as 1/3 of organizations do not measure the effectiveness of their Security Awareness training. Would employees recognize an incident? Would they know what to do? Is it reducing unexpected costs? Is it reducing risks? Metrics is a critical component to a Security Awareness program and help to measure its success and to identify areas that need improvement. For the organization’s leadership metrics is used to justify the costs of the Security Awareness program and provides the basis for their support. Another contributor to the failure of Security Awareness programs is the failure to understand the audience. Organizations primarily fail to understand the audience in two ways. First and foremost, the process of identifying internal groups and their unique Security Awareness needs is often not performed so organizations are left with a program that cater to a generic audience with generic needs instead of uniquely tailoring the program to address the specifically identified risks and needs of the organization. Second, organization’s often fail to understand how their identified audience learns. This relates to the fact that many Security Awareness programs are created and delivered by Information Security professionals who aren’t educators. We are relying on Information Security professionals to educate and change people’s high-risk behaviors and reinforce desired behaviors without having the necessary background as educators. This hardly seems fair. People have different cognitive skills where each person’s ability to learn and digest new information and knowledge differs from one another. People also prefers different learning styles. One person might prefer a spatial learning style where the use of images and other visual tools are used in the learning process while another might prefer an aural learning style where the information is delivered in spoken form, or even a logical learning style where logic and reasoning is used in the learning process. Moreover, people have different mental models where we all have a different thought process and understanding of the relationship between our work, the tasks we do, the tools we use, risks, threats, and actions; and how all of these affect one another. Another cause contributing to ineffective Security Awareness programs is the failure to properly identify high-risk and desired behaviors. What are the behaviors you want to change? What are the behaviors you want to reinforce? It is easy for an organization to focus strictly on the most common threat areas such as Social Engineering, Phishing Attacks, and Malware because they get a lot of media attention. Yes, these are critical areas that most certainly must be addressed. But, many organizations fail to address areas that are often unique within each organization. Does your employees know how to find the Acceptable Use Policy? Have they read and are familiar with the policy? Are they familiar with their security role? Are they using your data and client information ethically? Do they know where to store files on your network so that they are appropriately backed up? Do they know how and where to shred sensitive documents? Do they know how to report an incident? Moreover, many organizations fail to provide appropriate solutions to change the undesirable high-risk behaviors. Let me give you an example. Almost every Security Awareness program will inform the employees that it is bad practice to store passwords on POST-IT® notes or in clear-text within text documents or spreadsheets, but how many of those actually provide a solution to the employees challenges with Password Management? How many will provide a Password Management software or instructions on how they can securely store their passwords in an encrypted spreadsheet? Whatever the solution may be we traditionally see a lot of “thou shalt not do this” and very little “by doing it this way you can be more efficient and also stay secure.” In this case the solution to a high-risk behavioral problem is supported by way of a software solution, perhaps supplemented by a policy requiring the use of the Password Management software; however, in many cases the underlying solution is strictly by way of a policy, procedure, or guideline. Lastly, Security Awareness programs often fail in the delivery of the message. This comes back to the lack of understanding of the audience and how the audience prefers to learn; and, is often worsened by the use of oversaturated mediums to communicate the message.
Impact of poor implementation
The lack of, or poorly implemented, Security Awareness programs can have a large impact on the business or organization. First and foremost this would result in increased security risks to the organization and it is thus more likely to experience security incidents. These incidents could be a result of Advanced Persistent Threats from the outside and can take place via a Social Engineering or Phishing Attack resulting in Malware infections. Malware infections carry a cost to the organization in the form of increased time spent by technical support to remediate the problem and/or re-build systems. It also carries a cost to the organization in the form of productivity loss when the affected end user is unable to use their computer to perform their work. Some malware is even capable of encrypting your organizations data and take it hostage forcing you to both restore systems and data from backup or to pay the ransom to obtain the decryption key. Second, the organization will be more susceptible to Social Engineering attacks where employees could be tricked into revealing sensitive information or even passwords. This could lead to the theft of intellectual property as well as loss of the organizations goodwill or reputation, which could cause loss of potential work or, in some circumstances, the organizations demise. Uninformed employees could also result in the failure to follow established policies, unethical use of customer data, and even the loss of data and equipment. All of which, will have significant impacts to the organization both from an operations perspective and financially.
Solving the Problem
Organizations should take a holistic approach to implementing and maintaining a Security Awareness program in order to create and foster a security conscious culture within their organizations. The approach must address the problem from two different perspectives. From an Information Technology management perspective we are interested in how we can best secure our organization while maintaining operational efficiency and ensuring the confidentiality, integrity, and availability of our data and systems. And from an educational psychology perspective we are interested in how we can change our employees’ high-risk behaviors and reinforce desired behaviors in order to reduce risks to the organization. By tackling the problem from both of these perspectives and by addressing the common causes that contribute to the problem we can ensure better success in creating, implementing, and maintaining a Security Awareness program that will contribute to building a security conscious culture and ensure the continued long-term operations of the business or organization
The next article in the series is Building the Foundation for your Security Culture.
Tom Mannerud is an Information Technology Manager, Security Researcher, and Educator living in beautiful Tampa, Florida. He has held a wide variety of IT management and security leadership roles for global organizations and has experience both leading and working with multi-national teams both on land and at sea. He holds a Master of Science in Information Security and Assurance and is a GIAC Certified ISO-27000 Specialist from SANS. Tom is also a member of the FBI InfraGard and the Information Systems Security Association.