Security awareness programmes have a mixed track record of success, to put it mildly.
While many security paradigms emphasise the importance of people, process and technology in every security strategy, in practice, the people and process parts tend to receive only grudging attention.
If the risk and compliance culture of an organisation is poor, then awareness alone won't result in good security.
Adrian Wright, managing director, Secoda Risk Management
As a research study by mail security company Clearswift found last November, few organisations tackle the awareness agenda with enthusiasm. Half of the employees polled said they had never received any awareness training, and two-thirds had never had training in their current role. That led the researchers to conclude that most workers were “IT freestyling:” working with little or no guidance about what was and was not permitted.
So what are the keys to making an awareness programme effective, and ensuring it produces a long-term impact on the behaviour of the people using systems?
The best way is to ask security pros who have been through the process. And what better way to find out than to ask members of security groups on the LinkedIn social networking site? We at SearchSecurity.co.UK recently did just that, and, within hours, professionals from around the world began to offer up their suggestions.
Here is a summary of some of their security awareness tips:
A corporate security policy can be long and complicated, and much of it will be irrelevant to individual workers, so security pros suggest tailoring training to each group of users.
“The message and the language must be crafted to the audience: Speak in the audience's language. Never use ‘security-speak’ except to other security folk,” wrote Brook Schoenfield, a senior security architect for US-based Cisco Systems.
Nick Baskett, managing director of Matta Group in London, echoed that view: “Teaching someone something they don't see as relevant to their job is a sure way to encourage amnesia. Security awareness to the [Personal Assistant] for the CFO has different elements than training someone in a call centre.”
Michael Krausz, an information security consultant based in Austria, made the point that training has to be engaging if it is to register with people. “The training should be inspiring and interesting. There's nothing worse for increasing awareness than a boring training session,” he wrote. “What usually works is to include practical elements that contain an element of surprise to keep a class interesting.” In one session, Krausz showed people the source code of a virus, for example, and in another, he showed a hardware keylogger and asked people to think about how much of their typing such a keylogger could hold in its 2GB of memory.
He also emphasised the need for face-to-face sessions in addition to any computer-based training (CBT). “Using CBT neither creates nor increases awareness. If people do not have in-person training sessions, they will simply learn the answers, but their awareness will not change,” Krausz said.
Interactive training can also help get people engaged with security by having them take on roles in certain threat situations. For instance, this can be especially effective when explaining how social engineering works. “Acting it out works very well,” wrote Colin Wright, a CLAS consultant (with clearance to work on government contracts) based in Milton Keynes. “Give them all a role and a scenario with 'placed' individuals to take it forward to whatever conclusion or point you need to make. They'll feel foolish at first, but it does work.”
Senior management backing
Any awareness programme needs to have the full and genuine support of senior management. It’s no good, security pros say, if the managing director merely signs the security policy, but ignores it for his or her own use.
“If the risk and compliance culture of an organisation is poor, then awareness alone won't result in good security,” wrote Adrian Wright, managing director of Secoda Risk Management in London. “Awareness needs to be delivered in concert with measures that confer responsibility and accountability on individuals, and ensure there is a senior mandate for managing risk and compliance, well communicated from the top down.”
As the Clearswift study showed, if companies do any training at all, it tends to be done at induction to the organisation and then quietly forgotten about.
Nick Baskett succinctly summarised the issue: “An awareness course is pretty useless if it's a once-a-year event that stands in isolation from the actual practices and culture in the organisation.”
Roger Killick, information security manager for Siemens plc, agreed: “In my opinion, little and often (i.e. business as usual) is a better approach than a one-off campaign, although such a campaign could be used to start the process off.”
And Randall Lozano, president of the Phillipines Internet Society, said awareness training activities should take place at least twice year, backed up with posters and reminders in the organisation to keep the message in people’s minds. Creating the culture can be difficult at first, he admitted, but once the message is imprinted in users, they can become a powerful line of defence against any kind of intrusion.
Enforcement and testing
Many contributors to the LinkedIn discussion underlined the need to follow up on the training, to reinforce the message on a regular basis, and to make sure the message has been absorbed and retained by users.
This can sometimes involve drastic measures. David Simmons, an IT security administrator based in Ohio, said he requires users to take a CBT program by a certain date, and, if they fail to do it, he disables their Active Directory account, and then they have to take the test from a designated terminal to get reinstated.
“Yes, everyone in the company hates me, but you do not enter the world of security to make friends!” he wrote. He supplements the CBT courses with a range of other measures including:
- Security tips of the week via email.
- Security-related posters in break rooms and other high-traffic areas.
- Monthly security lunch-and-learn presentations.
- Monthly contests that have users answer 5-10 security questions, and those who answer correctly have their names entered in a drawing for a restaurant or store gift card.
Ben Klein, a networking security specialist working for Spectra Energy in Houston, Texas, also underlined the need for regular testing. “Most security awareness training wears off very quickly, something like 4-6 weeks if you are lucky. Daily and weekly reminders, posters, knick knacks for the desk, etc., also start becoming background noise and glazed over,” he wrote.
He cited one effective and ongoing security awareness campaign where users are randomly subjected to re-testing and must take a refresher if they do not respond correctly. This could involve, for example, the security team sending a dodgy looking attachment to a user to see if he or she opens it, or a phishing message to see if the user replies.
One sure way to gain and keep management’s interest in security awareness programmes is to demonstrate a clear improvement in the performance of users.
Michael Paisley, head of information risk at Santander UK, highlighted three possible goals for an awareness programme, and suggested ways of measuring their success.
- Reduce loss or disruption from human security errors and omissions: To understand whether the programme is having the desired affect, track incidents before and after deploying the awareness programme. “You don't need large volumes of data points, just sufficient to undertake inferential analysis,” Paisley said. “You will need to do root cause [analysis] on known incidents to ensure the relevance of human error or omission.”
- Regulatory compliance and regulatory sanction mitigation: In other words, awareness programmes will not only deliver higher levels of security, but also, in the event of a breach, any sanction by the regulator is likely to be lower if the organisation can show the appropriate training was given.
- Employee-related tribunals: Any case against employees claiming incompetence or negligence on their part will be bolstered if the organisation can prove training was given.
For those who need more detail on how to plan a complete awareness programme, Robbie Craig, an information security officer with Luton Borough Council, has made available a section of the dissertation he wrote for his Master’s course at the University of Westminster.
This thesis provides a complete case study of the programme he helped to introduce in Luton, and includes full details of techniques used and a breakdown of costs.