Step 3: Identifying High-Risk and Desired Behaviors
The Security Awareness Cycle
The third step in the Security Awareness Cycle is to identify behaviors. Security Awareness is all about reinforcing desired behaviors and changing high-risk behaviors in order to reduce or mitigate security risks to the organization. We know that much of the desired behaviors are outlined within the organization’s security policies and procedures. However, high-risk behaviors are more closely linked to current threats and how the audience reacts or responds to these threats. As a result high-risk behaviors are more fluid and may change between now and the next time you go through the cycle.
So, what are these behaviors and how can I identify them? You can often look to your Acceptable Use Policy, for instance, as a starting point for identifying desired behaviors. For instance, you want your employees to be familiar with this policy. You want them to know that it exists, you want them to know where to find it, and you want them to be familiar and comply with the content. You want your employees to know who the Information Security Officer is and how to properly report a security incident. You also want your employees to know where to store their data so that it is properly backed up. And, lastly you want your employees to be fully aware of their security roles and responsibilities. So, the first part of identifying behaviors is to outline all the things you want your employees to do. This becomes the desired behaviors.
You should also identify the high-risk behaviors. These are behaviors that put your organization at unnecessary risk. For example the failure to recognize a phishing attack, ignoring signs of malware, failure to properly dispose of sensitive documents, or revealing sensitive information during a Social Engineering attack. In some cases, these high-risk behaviors are relevant to all groups within the organization, but you will also find that individual groups may have high-risk behaviors that are unique to them.
The identified behaviors become topics you want to address within your Security Awareness program.
Step 4: Identifying Solutions to Facilitate Behavioral Change
The fourth step in the Security Awareness Cycle is to identify solutions to mitigate the risk or to facilitate a behavioral change. This is where you need to decide how you want to handle the risks identified in the previous steps.