Security Awareness For Dummies E-Book

Security Awareness For Dummies®

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

Includes text used with permission from You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions © 2021, John Wiley & Sons, Inc., Indianapolis, IN, authored by Ira Winkler and Tracy Celaya Brown.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2022934265

ISBN 978-1-119-72092-8 (pbk); ISBN 978-1-119-72093-5 (ePDF); ISBN 978-1-119-72094-2 (epub)

Security Awareness For Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for “Security Awareness For Dummies Cheat Sheet” in the Search box.

Table of Contents

Cover

Title Page

Copyright

Introduction

About This Book

Foolish Assumptions

Icons Used in This Book

Beyond the Book

Where to Go from Here

Part 1: Getting to Know Security Awareness

Chapter 1: Knowing How Security Awareness Programs Work

Understanding the Benefits of Security Awareness

Knowing How Security Awareness Programs Work

Recognizing the Role of Awareness within a Security Program

Disputing the Myth of the Human Firewall

Chapter 2: Starting On the Right Foot: Avoiding What Doesn’t Work

Making a Case Beyond Compliance Standards

Treating Compliance as a Must

Limiting the Popular Awareness Theories

Distinguishing Social Engineering from Security Awareness

Addressing Mental Models That Don’t Work

Making Perfection the Stated Goal

Measuring from the Start

Prioritizing Program Over Product

Choosing Substance Over Style

Understanding the Role of Security Awareness

Chapter 3: Applying the Science Behind Human Behavior and Risk Management

Achieving Common Sense through Common Knowledge

Borrowing Ideas from Safety Science

Applying Accounting Practices to Security Awareness

Applying the ABCs of Awareness

Benefiting from Group Psychology

Remembering That It’s All About Risk

Part 2: Building a Security Awareness Program

Chapter 4: Creating a Security Awareness Strategy

Identifying the Components of an Awareness Program

Figuring Out How to Pay for It All

Chapter 5: Determining Culture and Business Drivers

Understanding Your Organization’s Culture

Identifying Subcultures

Interviewing Stakeholders

Partnering with Other Departments

Chapter 6: Choosing What to Tell The Users

Basing Topics on Business Drivers

Incorporating Personal Awareness Topics

Motivating Users to Do Things “Right”

Common Topics Covered in Security Awareness Programs

Chapter 7: Choosing the Best Tools for the Job

Identifying Security Ambassadors

Knowing the Two Types of Communications Tools

Exploring Your Communications Arsenal

Chapter 8: Measuring Performance

Knowing the Hidden Cost of Awareness Efforts

Meeting Compliance Requirements

Collecting Engagement Metrics

Measuring Improved Behavior

Demonstrating a Tangible Return on Investment

Recognizing Intangible Benefits of Security Awareness

Knowing Where You Started: Day 0 Metrics

Part 3: Putting Your Security Awareness Program Into Action

Chapter 9: Assembling Your Security Awareness Program

Knowing Your Budget

Choosing to Implement One Program or Multiple Programs

Gaining Support from Management

Devising a Quarterly Delivery Strategy

Deciding Whether to Include Phishing Simulations

Planning Which Metrics to Collect and When

Branding Your Security Awareness Program

Chapter 10: Running Your Security Awareness Program

Nailing the Logistics

Getting All Required Approvals

Getting the Most from Day 0 Metrics

Creating Meaningful Reports

Reevaluating Your Program

Redesigning Your Program

Considering Breaking News and Incidents

Chapter 11: Implementing Gamification

Understanding Gamification

Identifying the Four Attributes of Gamification

Figuring Out Where to Gamify Awareness

Examining Some Tactical Gamification Examples

Putting Together a Gamification Program

Promoting the Program

Chapter 12: Running Phishing Simulation Campaigns

Knowing Why Phishing Simulations Matter

Setting Goals for Your Phishing Program

Planning a Phishing Program

Choosing a Phishing Tool

Implementing a Phishing Simulation Program

Running a Phishing Simulation

Tracking Metrics and Identifying Trends

Dealing with Repeat Offenders

Management Reporting

Part 4: The Part of Tens

Chapter 13: Ten Ways to Win Support for Your Awareness Program

Finding Yourself a Champion

Setting the Right Expectations

Addressing Business Concerns

Creating an Executive Program

Starting Small and Simple

Finding a Problem to Solve

Establishing Credibility

Highlighting Actual Incidents

Being Responsive

Looking for Similar Programs

Chapter 14: Ten Ways to Make Friends and Influence People

Garnering Active Executive Support

Courting the Organization’s Influencers

Supporting Another Project That Has Support

Choosing Topics Important to Individuals

Having Some Fun Events

Don’t Promise Perfection

Don’t Overdo the FUD Factor

Scoring an Early Win

Using Real Gamification

Integrating the Organization’s Mission Statement

Chapter 15: Ten Fundamental Awareness Topics

Phishing

Business Email Compromise

Mobile Device Security

Home Network and Computer Security

Password Security

Social Media Security

Physical Security

Malware and Ransomware

Social Engineering

It Can Happen to You

Chapter 16: Ten Helpful Security Awareness Resources

Security Awareness Special Interest Group

CybSafe Research Library

Cybersecurity Culture Guidelines

RSA Conference Library

You Can Stop Stupid

The Work of Sydney Dekker

Human Factors Knowledge Area

People-Centric Security

Human Security Engineering Consortium

How to Run a Security Awareness Program Course

Appendix: Sample Questionnaire

Questions for the CISO or Similar Position

Questions for All Employees

Questions for the HR Department

Questions for the Legal Department

Questions for the Communications Department

Questions Regarding the Appropriate Person for Physical Security

Index

About the Author

Advertisement Page

Connect with Dummies

End User License Agreement

List of Illustrations

Chapter 3

FIGURE 3-1: The ABCs of awareness.

FIGURE 3-2: The ABCs of behavioral science.

FIGURE 3-3: The Forgetting Curve.

Chapter 9

FIGURE 9-1: A sample quarterly awareness program interspersing topics.

Chapter 10

FIGURE 10-1: Consolidated metrics dashboard.

FIGURE 10-2: Mobile device loss.

FIGURE 10-3: Phishing results bar graph.

Guide

Cover

Title Page

Copyright

Table of Contents

Begin Reading

Appendix: Sample Questionnaire

Index

About the Author

Pages

i

ii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

Introduction

Creating security awareness among users is much more difficult and complicated than just telling them, “Bad people will try to trick you. Don’t fall for their tricks.” Not only is that advice usually insufficient, but you also have to account for much more than just bad people tricking your users. People lose equipment. They frequently know what to do, but have competing priorities. They may just not care. Relying on the user knowing what to do is not a silver bullet that creates a true firewall. However, with the right plan and strategy, you can make a measurable difference in improving user behavior. This book puts you on the right path to creating effective security awareness programs that meaningfully reduce risk to your organization.

About This Book

I started my career in cybersecurity performing social engineering and penetration tests. I put together teams of former special forces officers and intelligence operatives, and we targeted companies as nation-states would. I focused on black bag operations, which often consist of clandestine activities such as lock picking or safecracking, and otherwise infiltrating protected facilities. I went undercover to infiltrate organizations and persuade users to give me sensitive information. These operations led to the theft of reportedly billions of dollars of information and intellectual property. (I gave it all back.)

My “victims” then had me go back to their organizations and tell the stories about what I did, as a form of security awareness. The users were mesmerized by my stories. I heard about some successes in improved awareness, but when I went back for further assessments, the reality was that no real improvement had occurred. Just telling stories and telling people what not to do has limited impact.

Over two decades, I created and supported dozens, if not hundreds, of awareness programs for organizations of all types and sizes. I was able to see what worked best and what didn’t. I found that many of the common beliefs and strategies just didn’t work. They sounded great, but they were specious.

I also learned how to tell when awareness efforts were doomed to failure. More important though, I learned what works and how best to implement awareness programs.

This book shows how to implement the strategy that I found (through decades of experience) actually works. It helps you cut through hype and platitudes and begin doing what actually works. Platitudes and hype sound noble, but they are frequently misleading. Some of what I describe might go against what is considered common practice; however, you must consider that common practice has led to few improvements over decades. With that in mind, consider my perspective and determine what works best for your purposes. No guarantee exists of what will or won’t work in any given situation.

Take this insight into account as you read this book and choose your own path.

To help you choose that path and make the content more accessible, I’ve divided this book into four parts:

Part 1

, “Getting to Know Security Awareness”:

An overview of the fundamental concepts and philosophies of security awareness

Part 2

, “Building a Security Awareness Program”:

The building blocks of an awareness program

Part 3

, “Putting Your Security Awareness Program into Action”:

Creating and implementing your program

Part 4

, “The Part of Tens”:

Quick guidance for optimizing your program

The appendix provides a sample assessment questionnaire.

Foolish Assumptions

My fundamental assumption is that I have no assumptions except that you are interested in addressing human vulnerabilities. You may be a CISO who wants to get a handle on how to better address the most common attacks against your organization. You may run awareness programs and want to enhance your current efforts. You may have been randomly assigned to run an awareness program and have little idea where to start. Or you may simply be interested in becoming a more well-rounded cybersecurity professional. This book definitely provides a valuable addition to your knowledge base.

Regardless of your role or position in your organization, if you’re interested in addressing human vulnerabilities, you should find value in this book. I hope that you get to apply the information in a practical setting. As I finalize this manuscript, the 2021 Verizon Data Breach Investigations Report (DBIR) has been released, and it again reports that the targeting of users remains the top attack vector. It is my belief that this book can help to address this problem.

Icons Used in This Book

Throughout this book, icons in the margins highlight certain types of valuable information that call out for your attention. Here are the icons you encounter and a brief description of each:

The Tip icon marks tips and shortcuts you can use to make creating and running awareness programs easier.

Remember icons mark the information that’s especially important to know. Frequently, paragraphs marked with this icon reiterate information that is presented previously in the book but bears repeating in the current context.

The Technical Stuff icon marks information that is specifically practical in implementing awareness programs. It involves information specific to the execution of programs.

When you see the Warning icon, you know to watch out! This icon marks important information that may save you headaches, or at least let you know when those headaches might pop up (and why).

Beyond the Book

In addition to the abundance of information and guidance related to creating a security awareness program that we provide in this book, you gain access to even more help and information online at Dummies.com. Check out this book’s online Cheat Sheet. Just go to www.dummies.com and search for security awareness for dummies cheat sheet.

Where to Go from Here

This book follows a certain flow, but — as I identify in the description of the parts of this book, and as I write in the “Foolish Assumptions” section — you may be anywhere in the process of implementing an awareness program. For that reason, I intend for the chapters to stand alone as much as possible. Part 1 of this book covers my philosophies, biases, and experience, which may help you understand the perspective of the advice I provide, but you should be able to start with any chapter that seems most relevant to you.

If you have a functional program running and want to enhance it, I recommend turning to the chapters on gamification (see Chapter 11), running phishing simulations (see Chapter 12), or metrics (see Chapter 8). Otherwise, you can skim the chapters to see which one is the most relevant to your immediate needs. You may prefer, of course, to follow the flow of the book and read from front to back.

Part 1

Getting to Know Security Awareness

IN THIS PART …

See what makes security awareness work.

Avoid the pitfalls that cause security awareness programs to fail.

Get the most from what science shows about human behavior.

Chapter 1

Knowing How Security Awareness Programs Work

IN THIS CHAPTER

Recognizing the importance of security awareness

Working with a security awareness program

Knowing where awareness fits within a security program

Getting why the so-called “human firewall” doesn’t work

A successful security awareness program motivates people to behave according to defined practices that decrease risk. Creating a program that successfully changes behavior throughout an organization involves more than simply communicating a bunch of facts about security awareness. Just because people are aware of a problem doesn’t mean they will act on their awareness. In other words, awareness doesn’t guarantee action. (Everyone knows that fast food isn’t the healthiest choice, but most people still eat it.) This chapter sets the foundation for understanding the issues and the solutions.

Understanding the Benefits of Security Awareness

The thinking behind security awareness is that if people are aware of a problem, they’re less likely to contribute to the problem — and more likely to respond appropriately when they encounter it.

Users who are aware don’t pick up USB drives on the street and insert them into their work computers. They’re aware of their surroundings and ensure that nobody is looking over their shoulders while they’re working. They don’t connect to insecure Wi-Fi networks. They’re less likely to fall victim to phishing attacks. Essentially, users who are aware don’t initiate losses for their organizations.

Organizations typically create security awareness programs to ensure that their employees, or users, are aware of cybersecurity problems that are already known to the organization. Phishing messages, which I cover in the next section, represent the most prolific attack against users.

Reducing losses from phishing attacks

Phishing attacks are common enough these days that many people are already familiar with the term. A working definition is “an email message that intends to trick a user into taking an action that is against the user’s interests.” A phishing awareness program would ideally train people to properly determine how to handle incoming emails in a way that reduces the likelihood of loss. For example, if a message asks for the disclosure of information, the ideal situation is that a user knows what information they can disclose and to whom while also determining whether the sender is valid. Chapter 6 discusses this topic in more detail.

To appreciate the losses that a phishing attack can cause, consider these prominent attacks:

Sony:

The infamous 2014 Sony hack, which was reportedly perpetrated by North Korea, began with a phishing attack. The hack resulted in the leak of information about movies, the movies themselves, and embarrassing emails. Sony reported costs of the hack to be $35 million.

Target:

The 2013 Target hack, which compromised more than 110 million credit card numbers and consumer records, began with a phishing attack of a Target vendor. Target reported the resulting costs to be $162 million.

OPM:

The attack on the Office of Personnel Management (OPM), discovered in 2014, which compromised the security clearance files of 20 million US government employees and contractors, began with a phishing attack against a government contractor. The costs and losses are immeasurable because this attack is considered a major intelligence success for China, the perpetrator of the attack named by the US government.

Colonial Pipeline:

The Colonial Pipeline ransomware attack in 2021 began with a phishing message that captured user credentials and allowed the criminals to establish a sustained presence on the network. This allowed the criminals to find the most critical systems and eventually install the ransomware, which caused Colonial Pipeline to shut down the pipeline, halting a primary oil delivery to the US east coast. Colonial Pipeline paid the criminals approximately $4.4 million, but the actual costs resulting from the shutdown were tens of millions of dollars to Colonial Pipeline and an incalculable cost to the economy.

The Verizon Enterprises Solutions’ Data Breach Investigations Report, commonly referred to as the DBIR, is one of the most often cited studies in the cybersecurity field. The report, which is produced annually, is drawn from data collected directly by Verizon’s managed security service. The DBIR, considered a reliable overview of real-life attacks against organizations around the world, indicates that more than a whopping 85 percent of all major attacks begin by targeting users. You can access the report at www.verizon.com/business/resources/reports/dbir.

Reducing losses by reducing risk

Just as people get themselves into automobile accidents despite advances in automobile safety, even reasonably aware users may fall victim to cybersecurity attacks. All cybersecurity countermeasures will eventually fail. Countermeasures include encryption, passwords, antivirus software, multifactor authentication, and more. Perfect security doesn’t exist. Your goal in establishing a security awareness program is to reduce risk by influencing user actions.

Don’t expect users to be perfect — risk reduction isn’t about eliminating risk altogether, which is impossible. Expect your security awareness program to reduce the number and severity of incidents, thereby reducing losses from the incidents.

Also, a more aware user knows when something seems wrong and knows how to react to it. If your users sense that they might have been compromised, they start taking actions to mitigate the loss. If they accidentally email sensitive data to the wrong person, they try to stop the message or have it deleted. If they end up on a malicious website that starts serving adware, they disconnect before additional damage can occur. They know how to properly report any and all potential incidents, so your organization can begin to stop any loss or damage in progress. In the worst case, at least they can launch an investigation after the fact to find out what happened.

In the ideal situation, even when a user takes no potentially harmful action, they report the situation to the appropriate party. They report details such as whether someone tried to follow them through a door, even if they turn the person away, because they know that the person might attempt to enter through another door or follow someone else through the door. If someone detects a phishing message, they don’t click on it — instead, they report the message because they realize that other, less aware users may click on it, and then the administrators can delete the message before that happens.

As you can see, awareness requires more than knowing what to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.

The goal for awareness is for users to behave according to policies and procedures. Part of the function of an awareness program is making users aware that bad guys exist and that those bad guys will attempt to do bad things. But awareness programs primarily focus on making people aware of how to behave according to procedures in potentially risky situations.

Grasping how users initiate loss

At a cybersecurity conference where I spoke, I was in a buffet line at lunchtime. At one table that the line passed, I saw some stickers that said, Don’t Click On Sh*t! The person in front of me was an administrator, and he grabbed a handful of stickers while saying, “I need a lot of these to give to my users.” I then replied, “You must give your users a lot of ‘sh*t’ to click on.”

The guy was confused and asked what I meant. I replied that the users would have no items to avoid clicking on if the systems he supported didn’t pass the messages to the users. I then added that if he knows users will click on problematic items, he should be taking active measures to stop the inevitable damage. He was confused, but of course kept the stickers.

For more information on user-initiated loss, find a copy of my book, written with Dr. Tracy Celaya Brown, You Can Stop Stupid: Stopping Losses from Accidental and Malicious Actions (Wiley, 2021).

Users can cause only the amount of damage they’re put in the position to cause — and then allowed to carry out. However, even after they make a potentially damaging mistake, or even if they’re blatantly malicious, it doesn’t mean that the system should allow the loss to be realized.

For example, a user can click on a phishing message only if the antiphishing technology used by your organization fails to filter the message. If the user clicks on a phishing message and ransomware is activated, the ransomware can destroy the system only if the user has permission to install software on the system — and then in almost all cases, you have no standard antimalware on the system.

User error is a symptom of the problems with your system. Even if a user makes a mistake, or is even malicious, the resulting loss is a problem with the system providing users with potential actions and then enabling the loss.

In essence, users may initiate a chain of actions that create the loss, but the loss is a result of failings in the system as a whole.

Knowing How Security Awareness Programs Work

Unfortunately, there is little consistency in what is perceived to be a sufficient, organizational security awareness program. Some organizations just have users, or employees, sign a document. Many other awareness programs require employees to read the document once a year (or, increasingly, watch a video).

At the other end of the spectrum, when I started at the National Security Agency (NSA), my security awareness training actually began long before I started working there. After I passed the initial aptitude test, I was sent information to arrange for an interview. During that interview was a conversation about the special security considerations of working for the NSA. I was prepared for what would be involved in obtaining a top secret clearance, as well as the need not to discuss my potential employment. I was then invited to visit the NSA headquarters for further interviews.

My travel packet included a basic discussion of security requirements. Upon arrival, I was provided with another security briefing related to how to get into, and then behave within, the facilities. I met with counterintelligence officers, who provided a general overview of security requirements and then administered a polygraph exam. I also took a battery of psychological tests. During the technical interviews, I met with professionals who also discussed the job expectations, including the expected security-related behaviors. The NSA is a special case, of course — most organizations don’t engage in such rigorous screening practices.

The goal of a security awareness program is to improve security-related behaviors. The goal is not to simply make people aware of an issue — the goal is to inspire people to behave appropriately to avoid the initiation of a loss and, ideally, to detect and respond to the potential for loss. Whether people understand how their actions promote security is secondary because the goal of an awareness program is to change behaviors, not just impart knowledge.

When I started working at the NSA, I took a 3-day security awareness class. Security awareness posters were hung on walls all over the buildings. Applicants received security newsletters and attended regular security-related presentations. These awareness tools were generally unnecessary, however. All I had to do to see how to behave was behave like everyone else. Everyone wore their badges, so I wore my badge. Everyone lined up to have their belongings inspected on the way out of the buildings. In essence, the entire culture was the awareness program. People lost their jobs because of security violations. I am not saying the NSA was perfect, because it clearly had some major failings, but for all the potential risk, the NSA experienced relatively little loss.

Clearly, few organizations in the world have the type of awareness program that the NSA has. Unlike organizations that prioritize profits, branding, and other deliverables, the NSA focuses on security. Security is the NSA brand.

A good security awareness program intends to change and improve security-related behaviors. You can incorporate many tools into an awareness plan to create that change. Chapter 7 defines a variety of tools that you can incorporate into your program. Some tools are more popular than others; however, no tool is absolutely required. The choice depends on your needs. At the end of the day, a security awareness program is essentially a set of tools, techniques, and measurements intended to improve security-related behaviors.

Establishing and measuring goals

The ultimate goal of a security awareness program is to change and improve security-related behaviors. Security programs are created to reduce loss. As an essential part of an organization’s overall information security program, security awareness should likewise reduce loss.

In Chapter 8, I discuss some metrics you can use to judge whether your awareness program successfully reduces loss. Many security awareness professionals talk about the likeability of their tools, the number of people who show up to their events, and the quality of their posters. These metrics and general impressions are nice to know, but they’re relatively useless from a practical perspective.

A metric demonstrating that you’re changing behaviors in a way that reduces loss, or preferably improves efficiency and makes the organization money, is the most useful metric to show that you’re producing value. This isn’t to say that it’s the only possible benefit of a security awareness program. Awareness programs also often provide intangible benefits to the organization. These benefits include protecting the organization from damage to its reputation, illustrating that the organization is committed to security, generating excitement and engagement among employees, and reassuring customers that your organization is actively protecting them.

If your goal is to contribute to your organization’s security effort, you must identify the benefits your program will bring to the organization. These benefits can’t be that the program merely provides information. The program should improve behaviors. You must be able to show how the program returns clear value to your organization, and this value should ideally return clear value to the bottom line.

Showing users how to “do things right”

For your awareness program to help create desired behaviors, the program must show people the proper way to perform job tasks, or “do things right.” In other words, you provide instructions on how to do things properly by default.

When you consider most of the materials produced by vendors, and a great deal of the materials produced by organizations for internal use, these materials frequently focus on the fact that “bad people” intend to trick you. They tell you about criminals who will do harm if you fall for their tricks. This information can provide motivation, which can be worthwhile, but it’s doesn’t show users how to recognize suspicious situations as they encounter them.

When you teach people to focus on the ways bad people will exploit them, the training will fail when the bad people try a different trick. Expecting users to combat well-resourced, highly skilled criminals is a losing proposition. You cannot expect users to be consistently effective in thwarting such parties.

The better approach is for your awareness training to focus on the way that users can do their jobs properly. Ensure that users have an established process that they’re familiar with and that they know how to follow. The process should account for the potential of bad people trying to game the system.

I once worked with a large online gaming company that had problems with criminals calling up the support desk to dupe the support personnel into changing the passwords on specific accounts so that the criminals could go into the accounts and sell the assets. I created a decision tree to authenticate callers. As long as the support personnel followed the provided guidance, no accounts were compromised and no one had to train the support personnel to handle each and every possible scenario that bad people would try. It didn’t matter. We just told them the one way to do their job properly.

Though this strategy may not be feasible in every case, for every job function, your awareness efforts should generally focus on providing guidance in how people should do their jobs properly. This requires embedding security within job functions.

In many cases, you may find detailed procedures already defined but not well known or practiced. In this case, your job is to find those procedures and figure out how best to translate them into practice.

Recognizing the Role of Awareness within a Security Program

Awareness isn’t a stand-alone program that the security team uses to deal with the user problem, as it’s commonly called. Security awareness is a tactic, not a strategy, used to deal with the user problem.

As I cover in the earlier section “Reducing losses from phishing attacks,” for a phishing attack to exploit your organization, your system first has to receive the email message on your server. Your system then has to process the message and present it to the user. The user has to review the message and decide how to act on the message. If the message contains malware, the system has to allow the malware to install and execute. If the message sends the user to a malicious link, the system has to allow the user to reach the malicious web server. If the user gives up their credentials on a malicious web server, the system then has to allow the malicious party to log in from anywhere in the world.

When a phishing attack succeeds, the user action is just one link in a fairly involved chain that requires failure throughout the entire chain. This statement is true for just about any user action, whether it involves technology or not.

Here are several concepts to consider:

The user is not the weakest link.

Awareness addresses one vulnerability among many.

The user experience can lead the user to make better decisions — or avoid making a decision in the first place.

Most importantly, to stop the problem, you have to engage and coordinate with other disciplines. See

Chapter 5

.

Dealing with user-initiated loss (after all, the actions can be either unintentional or malicious) requires a comprehensive strategy to deal with not just the user action but also whatever enables the user to be in the position to create a loss and then to have the loss realized. You can’t blame a user for what is typically, again, a complex set of failures.

Though it’s true that, as an awareness professional, you can just do your job and operate in a vacuum, doing so inevitably leads to failure. It goes against the argument that you deserve more. This doesn’t mean that the failure wouldn’t happen even if everyone cooperated, but operating in a vacuum sends the wrong message.

Awareness isn’t a strategy to mitigate user-initiated loss — it’s a tactic within a larger security strategy.

The security awareness program isn’t the sole effort responsible for mitigating user error. If you say nothing to oppose this idea, you give the impression that you agree with it. Worse, you give the impression that users are responsible for any loss resulting from harmful actions that you already anticipate they will eventually make, such as clicking on a phishing link or accidentally deleting a file.

You have a responsibility to reduce risk by encouraging secure behaviors. But you’re also part of a team and you should work in concert to support that entire security team to reduce loss. In a coordinated cybersecurity department, each team determines their part in reducing losses related to user actions and takes the appropriate actions. Likewise, each team determines how best to support each other in the overall reduction of user-related losses.

As a security awareness professional, you can be the tip of the spear in coordinating a comprehensive solution to reducing user-related losses. Your primary focus is to create behavioral improvements that reduce the initiation of losses.

Disputing the Myth of the Human Firewall

The section heading might anger a lot of security awareness professionals, but I see the idea of the human firewall as a dangerous myth. The idea that users are your last line of defense (which is a catchphrase for many phishing simulation companies) is fundamentally wrong.

First, consider that users are not the last line of defense in any practical way. For example, if a user clicks on ransomware, the user environment can stop the user from downloading malware by not giving the user permission to install software. Even if the software is downloaded and installed, antimalware can stop the ransomware. To accept that the user is the last line of defense, you have to discount many useful technologies that are commonplace in organizations.

Michael Landewe, the CTO of Avanan, said it best:

If a user is our last line of defense, we have failed as an industry.

Regarding the claim of creating a human firewall, in principle it sounds great, but any security professional knows that even technical firewalls will fail. Users are less reliable than technology. Creating a human firewall implies that you will create an entire organization of users who always behave appropriately and securely. That isn’t possible, however. Though humans can consistently behave well, no individual (and especially no group of humans) in the history of mankind has always exhibited error-free behaviors.

Consider also that although other technologies do only what they’re instructed to do, humans can have malicious intent. If you leave your users as your last line of defense and they’re malicious, the results will be disastrous.

I want you to create the best security awareness programs possible, but you need to remember where you fit within the overall chain of actions. If you give the impression that the user has ultimate control of your systems, then the first time a user fails, you fail in your self-described mission, which can damage the credibility of your program. Consider that you don't even see people who manage firewalls imply that their firewalls will stop all attacks from getting in. If you spout off to management that you will create a human firewall to repel all attacks targeting humans, then the first time a user fails, your program has failed based on your statements. Everything else you do will be met with skepticism, including requests for budget funds, personnel, time, and other resources. Don’t set yourself up for failure from the start.

The reality is that most people don’t give users and security awareness programs enough credit. Every time a user avoids clicking on a phishing message, your awareness efforts are successful. Every time a user locks up sensitive information, your awareness efforts are successful. Every time a user protects their screen from shoulder surfers, your awareness efforts are successful. These successes happen all the time.

Your users are a critical part of your organization’s system, and your efforts can significantly reduce loss. Aware users have helped organizations avoid disaster. I have personally been involved with users who have thwarted major attacks. Even when attacks have been reported after the fact, aware users responded appropriately, alerted the appropriate people, and significantly reduced the resulting loss.

The awareness programs you create can provide an immense return on investment. Just be sure that you set realistic expectations.

Chapter 2

Starting On the Right Foot: Avoiding What Doesn’t Work

IN THIS CHAPTER

Making compliance the goal — and nothing more

Failing to compel compliance

Overindulging in science with limited practical use

Mistaking social engineering skills for awareness expertise

Setting inappropriate expectations

Valuing products more than process

Buying into gimmicks that yield no results

Overestimating the role of security awareness

After working in the security awareness field for 30 years, I have learned the importance of knowing not only what works but also what doesn’t work. In the security awareness field, knowing what doesn’t work is almost more important than knowing what works.

This chapter helps you sidestep the problems I encountered throughout three decades spent working in security awareness. Your security awareness programs probably won’t be perfect from the start, but being aware of the red flags can definitely help you steer your program in the right direction.

Making a Case Beyond Compliance Standards

Checking the box means that an organization wants to meet compliance standards and nothing more. In this situation, you will have a harder time garnering budget and management support for your efforts. To create a security awareness program that changes employee behavior, however, you need to make your case — and prove that awareness provides a real return on investment.

Though standards evolve, at the time of this writing, the major industry standards regarding security awareness are vague. For the most part, all they require is that an organization has an awareness program in place. The standards imply that organizations should hold annual awareness training, but they don’t specify what these trainings should entail or how to create them. As long as an organization can provide some form of confirmation to potential auditors that employees received some form of annual training, “the box is checked.” Even though auditors sometimes require phishing simulations, the standards provide no instruction for creating the simulations or performing them effectively.

In Chapter 8, I show how you can justify your efforts, even to a tough Check-the-Box crowd, by using metrics to demonstrate the value of your efforts to your organization.

Treating Compliance as a Must

Security awareness programs fail when they treat security as a should-do task and not as a must-do task. Security becomes a mere should-do task when programs seek to influence people to behave securely. These programs attempt to influence users to do the right thing by providing them with more information. Security becomes a must-do item only when users appreciate the consequences of their failings.

Consider awareness programs for sexual harassment, financial compliance, and similar issues. These programs don’t try to influence people to do the right thing — they inform users of their job requirements and the consequences of failing to meet those requirements. Failing to meet financial compliance requirements (such as properly filling out time cards, for example) can result in employees not being paid.

Compliance with a security awareness program that can prevent company operations from grinding to a standstill from a ruined computer network is something that, similarly, must be treated as, well, a must-do task. Security behaviors should be embedded within all business practices — not just added to the process. For example, when you’re authenticating a user for a system, the security checks should be, not an addition to, but rather an embedded step within the overall practice. It isn’t a separate function.

Ruining the company computer network typically has far-reaching implications that are difficult to recover from. Yet desired cybersecurity practices continue to be treated as a should-do task. If you want your awareness message to be conveyed and followed, you need to portray your message as a must-do task. In other words, proper security-related behaviors aren’t optional — they’re required, just like all other business functions. Let me be clear: I am not saying that you personally should make the behaviors a must; good security practices are likely an organizational mandate.

Motivating users to take action

Awareness professionals naturally want to believe that if they inform a person about an obvious concern, that person will take appropriate action, just by virtue of having received the information. In my experience, this assumption too often proves incorrect. Gaining compliance requires much more effort than simply relaying information. You need a detailed strategy, specific to your circumstances, that involves enforcement and creating a culture where everyone implements the expected behavior by second nature as part of their normal job function. (I discuss these strategies in detail in Part 2 of this book.)

Consider how this dynamic plays out in the rest of your life. Most people know that eating healthy foods and exercising can improve their health. In some cases, they even know that they can face dire medical consequences if they refuse to eat well. Yet they continue to ignore the advice. Relating this example to security awareness, the trick is to ask people to do a few simple things differently that will reduce an organization’s risk profile hugely and quickly, not make them into security experts.

BJ Fogg, a Stanford University researcher, developed many highly accepted concepts of human behavior. One of those behavioral concepts is the information-action fallacy, which is the belief that if you tell a person what they should do, why they should do it, and how it directly benefits them, they will do it. Just as this strategy doesn’t work in fitness, neither does it work with security awareness, where the implications are less dire for the individual.

When you implement your awareness program, you must dispel any belief on the part of yourself and the security team that, just because you inform people of an apparently critical issue, they will follow your guidance.

Working within the compliance budget

The compliance budget concept highlights how employees at work have a variety of requirements placed on them and their time. They have to balance how much time they use to satisfy various required tasks. The compliance budget accepts that users may well understand the importance of good security practices. It also acknowledges that users may consider other concerns to be equally or more critical. The more embedded security practices are within a job function, the more likely the practices will be implemented.

For example, if a user is running late to a critical client meeting, even if they know that securing the workspace is important, will they run even more late to the meeting to secure their computer and lock away sensitive documents? How do they determine which correct action takes priority? If you portray the security practices in your awareness program as a should-do item, you allow the user to ignore your guidance in favor of more apparently pressing issues. If your guidance is defined as a must-do item, however, it’s much more likely to be followed and implemented.

Users are typically balancing a variety of concerns, both personal and work related, and you need to consider how you’re presenting your materials with regard to positioning security awareness, among all the other daily concerns across their work and personal lives. This is where nudges and other properly placed security reminders, as discussed in Chapter 7, can have an impact on diligent users.

Limiting the Popular Awareness Theories

This section is probably the most controversial one in this book, as I take on a lot of popular concepts that I consider specious. When I read articles written by seemingly well-meaning security awareness experts, I see them quote scientific studies on psychology and marketing, among other areas, and I hear terms like mental models thrown around. These studies present ideas that seem important, but at the end of the day, I consider these ideas not practical to improve behaviors across an entire organization. I’m not saying that they’re irrelevant, but the focus on these sciences appears to be misplaced (as I discuss in the next section).

Applying psychology to a diverse user base