Transformational Security Awareness E-Book

Table of Contents

Cover

Foreword

Introduction

I: The Case for Transformation

1 You Know Why…

Humans Are the Last Line of Defense

Data Breaches Tell the Story

Auditors and Regulators Recognize the Need for Security Awareness Training

Traditional Security Awareness Program Methods Fall Short of Their Goals

Key Takeaways

References

2 Choosing a Transformational Approach

Your “Why” Determines Your “What”

Down the Rabbit Hole

Outlining the Key Components and Tools of a Transformational Program

A Map of What's to Come

Key Takeaways

Notes and References

II: The Tools of Transformation

3 Marketing and Communications 101 for Security Awareness Leaders

The Communications Conundrum

The Marketing Connection

Campaigns: If You Aren't Reinforcing, Your Audience Is Forgetting

Tracking Results and Measuring Effectiveness

Know When to Ask for Help

Key Takeaways

Notes and References

Additional Reading

4 Behavior Management 101 for Security Awareness Leaders

Your Users Aren't Stupid, They're Human

Thinking, Fast and Slow

Working with Human Nature Rather Than Against

The Nuts and Bolts of Shaping Behavior

The Problem with Motivation

Designing and Debugging Behavior

Tracking Results and Measuring Effectiveness

Key Takeaways

Notes and References

Additional Reading

5 Culture Management 101 for Security Awareness Leaders

Security Culture Is Part of Your Larger OrganizationaI CuIture

Getting Started

Cultures in (Potential) Conflict: Remember Global and Social Dynamics

Cultural Forces

Tracking Results and Measuring Effectiveness

Key Takeaways

Notes and References

Additional Reading

6 What's in a Modern Security Awareness Leader's Toolbox?

Content Is King: Videos, Learning Modules, and More

Experiences: Events, Meetings, and Simulations

Relationships: Bringing Context to Content and Experiences

Be Intentional and Opportunistic, Always

Use Your Metrics and Anecdotes to Help Tell and Reinforce Your Story

Key Takeaways

Notes and References

7 Voices of Transformation: Interviews with Security Awareness Vendors

Anna Collard, Popcorn Training

Chris Hadnagy, Social Engineer

Drew Rose, Living Security

Gary Berman, The CyberHero Adventures: Defenders of the Digital Universe

Jason Hoenich, Habitu8

Jim Shields, Twist and Shout

Kai Roar, CLTRe

Lisa Plaggemier, InfoSec Institute

Masha Sedova, Elevate Security

Stu Sjouwerman, KnowBe4

Tom Pendergast, MediaPRO

Winn Schwartau, The Security Awareness Company (SAC)

Reference

III: The Process of Transformation

8 Living Your Awareness Program Through the Eyes and Lives of Your Audience

A Learner Journey Map: Awareness in the Context of Life

Key Takeaways

Notes and References

9 Putting It All Together

Before You Begin

Thoughts About Crafting Campaigns

Measuring Your Success

What Does the Future Hold?

Key Takeaways

Notes and References

10 Closing Thoughts

Leverage the Power of Community

Be a Lifelong Learner

Be a Realistic Optimist

Conclusion

11 Voices of Transformation: Interviews with Security Awareness Program Leaders

Bruce Hallas, Marmalade Box

Carlos Miró, MUFG Union Bank

Dr. Cheryl O. Cooper, Sprint Corporation

Krina Snider, Sprint

Mark Majewski, Quicken Loans

Michael Lattimore, Independent Consultant

Mo Amin, Independent Consultant

Prudence Smith, Senior Cyber and Information Security Consultant and Industry Speaker

Thom Langford, (TL)2 Security

Tory Dombrowski, Takeform

Appendix: Seven Key Reminder Nudges to Help Your Recall

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1: Example data breaches and their human factor causes

Table 1.2: The reality of human nature and security awareness programs

Chapter 2

Table 2.1: Human nature and security awareness programs: statement, implicati...

Chapter 3

Table 3.1: Connecting the 8Ps of Marketing to Security Awareness

Table 3.2: Power of Visual Branding

Table 3.3: Even Simplified Versions of Brand Logos Are Effective

Chapter 4

Table 4.1: Understanding the components of the Fogg Behavior Model (nonsecuri...

Table 4.2: Understanding the components of the Fogg Behavior Model (security ...

Table 4.3: Outcomes arising from different combinations of motivation and abi...

Table 4.4: Different combinations of motivation and ability within the Fogg B...

Table 4.5: Example of the Fogg Behavior Model applied to password management

Chapter 8

Table 8.1: Security Behavior Journey Map Brainstorming Sheet

Table 8.2: Security Behavior Journey Map Brainstorming Sheet (Completed Examp...

Chapter 9

Table 9.1: Brainstorming worksheet for obtaining stakeholder support

List of Illustrations

Chapter 1

Figure 1.1: Continuum of behavior from unintentional to intentional with malici...

Figure 1.2: Examples of both analog and technology-enabled human errors that le...

Chapter 2

Figure 2.1: The four main reasons why organizations create security awareness t...

Figure 2.2: Your program's goal either will produce limited benefit or can be t...

Chapter 3

Figure 3.1: Seven key takeaways from the communications disciplines

Figure 3.2: Security awareness leaders should start with “why.”

Figure 3.3: Trojan Horses for the mind

Figure 3.4: Images are the language of the mind.

Figure 3.5: Marketing-based thinking helped drive awareness for the Heartbleed ...

Figure 3.6: Personas transform “targets” into people.

Chapter 4

Figure 4.1: System 1 thinking example, part A

Figure 4.2: System 1 thinking example, part B

Figure 4.3: Fogg Behavior Model

Figure 4.4: Example of nudge theory: improving bathroom sanitation

https://comm

...

Figure 4.5: Example of nudge theory: encouraging recycling

Figure 4.6: Password strength meters are a great security example of nudge theo...

Figure 4.7: Everything is interpreted through context.

Figure 4.8: Example of frames as interpretive filters

Figure 4.9: The Newcastle University experiment

Figure 4.10: Thinking through behavior groups with the Fogg Behavior Model

Chapter 5

Figure 5.1: Security teams face issues of scale and gravitational influence.

Figure 5.2: Security teams need a force multiplier.

Figure 5.3: Visualization of how culture carriers are viral in nature

Figure 5.4: Considering Maslow's hierarchy of needs as it relates to security c...

Chapter 6

Figure 6.1: Content variety: big-box shopping example

Chapter 8

Figure 8.1: Live your awareness program through the eyes and lives of your peop...

Figure 8.2: Example tactics to use at points of behavioral intersection

Chapter 9

Figure 9.1: The five secrets to security awareness success

Figure 9.2: The SMARTER goal setting framework

Figure 9.3: Security awareness topics should be planned and targeted in ways mo...

Figure 9.4: Security behavioral outcomes (reprise)

Figure 9.5: A robust security awareness program is a combination of multichanne...

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

xxi

xxii

xxiii

xxiv

xxv

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

35

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

283

284

285

286

287

288

289

290

291

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

329

331

332

333

334

335

336

337

338

339

340

341

iv

v

vii

viii

ix

x

xi

xii

342

Transformational Security Awareness

What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors

Foreword

Perry Carpenter is a highly respected cybersecurity guru who I’ve gotten to know over the last two years. He has 15+ years of experience in the field both as a practitioner and as an analyst. He’s sharp, is incredibly analytical, has a knack for psychology, and is a prolific writer. I first met Perry when he started working at KnowBe4, but I’d heard of him when he was an analyst at Gartner through KnowBe4’s CEO Stu Sjouwerman. Perry and I always play off of one another on webinars that we put on together for KnowBe4. We have a natural chemistry that is sometimes hard to find. A big reason for that natural chemistry is one of the first things that drew me to him—our mutual love of magic. We both have such a fascination with it that we took turns showing each other magic tricks one day.

Social engineering threats have been around since before I was born. Con artists continue to get better. That’s a big reason why I look at security awareness as an absolute necessity—because humans can be easily influenced to reveal confidential information or to perform actions through manipulation and deception. Regardless of what the software does, humans can be tricked to do whatever another human wants. There’s no software in the world that can protect a system against a pretext. People must realize that technology alone won’t protect them. That’s why it’s crucial to implement entertaining, relevant, and informative security training to make it matter to employees personally (appeal to self-interest), which helps change behavior.

Perry has put together a comprehensive book about security awareness programs that every security professional should read. It covers a variety of topics related to security awareness including the psychology of the behaviors behind getting someone to perform a certain act or care about a certain topic, the use of marketing and communications tactics to enhance security awareness training, leveraging social pressures to change culture, and more. He’s also added a compilation of voices from the cybersecurity industry who provide their advice about how to put on your best security awareness training.

Not only does Perry address the “how” behind putting together a comprehensive and effective security awareness training program, he addresses the ever important “why.” Why should people care about it? Why would it appeal to him/her personally? He even breaks it down to simplify why you should have a security awareness training program in the first place. Knowing the ultimate purpose and goal of your security awareness program is important because it correlates directly to the impact of your program.

One thing that I particularly enjoyed about his book was that he talked in detail about the importance of repetition when it comes to effectively getting a message across, and then he proceeds to summarize and repeat the most important points at the end of each chapter in the book. Perry also uses a line throughout the book that I’m a big fan of: “Just because I’m aware doesn’t mean I care.” Keep that in mind as you develop your security awareness program. Plan for it and work with human nature rather than against it to make your program more effective and to go beyond mere awareness. When we connect with people on an emotional level, the chance of them actually caring increases dramatically. Your ultimate goal should be to change end-user behavior and to shape the organization’s overall security culture.

We can’t argue that the world is in desperate need of better equipped security awareness leaders. And the human element is the most important one when it comes to your cybersecurity program. Beyond technology, beyond software, people are truly your last line of defense. At the end of the day, it all comes down to people. Perry has a way of masterfully exploring how people think and why they act the way they do. This is a fascinating read and, once again, something I’d recommend to everyone in the cybersecurity field.

—Kevin Mitnick

Introduction

I have a confession to make. This may sound strange, but pondering human thought and behavior is one of my favorite things to do. I think it's always been that way for me. I've wanted to know what makes people tick. Because of that, I've gone down a few interesting roads of study, from music, to religious studies, to magic and misdirection, to social engineering, to training as a street hypnotist and theatrical mind-reader, to taking classes in pickpocketing, to learning the ins and outs of public speaking and influence tactics, to graphic design, and more.

In all of this, I think I've actually been trying to understand why I do the things that I do and think the things that I think. You see, I've always felt a bit different. And that difference was confirmed to me late in life when I was diagnosed with Asperger's syndrome (a neurological difference also known as autism spectrum disorder, or ASD). In many aspects of life, this neurodiversity has served me well. I see the world in a different way. And that off-centered view of things has helped me find solutions or phrase answers in ways that can sometimes elude others. And, often, I'm sure that my way of approaching things has resonated not because it is better or more insightful; rather, it can resonate because it is quirky enough to cut through someone's pre-established filters.

In other areas of life, the social areas, I often felt (and sometime still feel) like an alien or a social anthropologist seeking to better understand the strange and wonderful inhabitants of this world. That seeking to understand is something that I still do every day. So, pondering human thought (psychology), our behavior (behavior science), and group dynamics (culture) is ceaselessly interesting and fun. The best part of it (professionally) is that I've had the opportunity in my career to make this quest part of the mandate for my daily job.

The Security Awareness Connection

The various roles throughout my professional life have offered me a unique vantage point when it comes to security awareness programs and to the security awareness market. I've seen security awareness from virtually every conceivable angle.

I've been the recipient of security awareness training at former employers.

I've designed and implemented security awareness programs at multiple Fortune 500 companies.

I've served as the Gartner analyst covering the security awareness market, authoring the Magic Quadrant for the space, advising vendors, and helping security awareness program managers design their programs.

And now, I help shape the awareness market and seek to serve security awareness leaders around the world by working within the security awareness vendor community.

Over the 15 or so years that I've been directly involved in building my own programs, advising security leaders and vendors, or helping shape the future of KnowBe4, I've learned a thing or two about what makes a security awareness program viable and scalable for long-term success. I've seen what does and doesn't work. And I've helped to build real, functional, security awareness programs that have shaped the behavior of employees as well as molding the way that organizations perceive and value security within their broader culture. Isn't that our goal? I'm pretty sure you agree. After all, if that's not what you are hoping to achieve, you probably wouldn't be reading this.

I'm resisting the urge to summarize the entire book for you right now. But, as I do that, there are a few things that I can't help but allow to leak forward and spill onto this page. Specifically, I want to let you in on the main thesis of this book. It's this: the concept of “security awareness” can suffer from a fatal flaw, what I call the knowledge-intention-behavior gap. Just because your people are aware of something doesn't mean that they will care. And, even if they care and intend to do the right thing, a whole host of situations and contexts can interfere with the follow-through (the desired behavior). So, there is a gap between knowledge and intention. And there is a gap between intention and behavior.

A transformational security awareness program proactively accounts for the knowledge-intention-behavior gap. It does so by working with, rather than against, human nature. And it does so by setting an intentional, eyes-open, focus on the idiosyncrasies of human nature, human behavior, human thought and reasoning, social dynamics, the power of emotion, and more. A transformational security awareness program will allow these realities to define the program strategy rather than just tossing out the next security video or dragging everyone through the doldrum of the next annual PowerPoint fest.

Thinking Forward

I was very intentional about the cover image for this book. Take another look at it now. When we think about the concept of transformation, it's easy to think about a caterpillar's transformation into butterfly. But all too often, we think about the butterfly emerging from the cocoon. That's great—but it's the end of the story. Notice, however, in the cover photo, you see the caterpillar casting the shadow of a butterfly. It's about the future potential of what exists in the now.

This book is about helping you see the potential of what is possible and then helping you plan practical ways to move toward that transformational outcome. So, in the same way that you can look at a caterpillar and imagine the future butterfly, I want to you imagine. Imagine yourself, your program, your people, and your organization a year from now: transformed.

Let the Fun Begin

Let's make this a conversation. I'd love to know your thoughts as you progress through the book. Keep me up-to-date on any transformational stories you have. Or, let me know if I can help with anything.

Lastly, if you enjoy this book and think it's helpful, recommend it to others, write a review, and buy copies to give to all your friends, family, and co-workers this holiday season. OK, that last part was somewhat in jest. But I do sincerely hope to hear from you.

You can connect with me on LinkedIn (/in/perrycarpenter), on Twitter (@perrycarpenter), or on the Web (https://TheSecurityAwarenessGuy.com).

Perry CarpenterMarch 2019

IThe Case for Transformation

In This Part

Chapter 1:

You Know Why…

Chapter 2:

Choosing a Transformational Approach

1You Know Why…

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

Bruce Schneier, Secrets & Lies

Ok. So, if you are reading this book, you likely already know why you need it. The world is in desperate need of better equipped security awareness leaders. The headlines and statistics make it clear that security technologies—no matter how good they become—will never be 100 percent effective. Cybercriminals will find gaps and points of ineffectiveness in the technologies and exploit them. It's the age-old arms race.

In that age-old arms race, regardless of if we are talking about computer security or physical security, cunning criminals have realized that they can effectively and reliably bypass an enemy's defensive systems by exploiting vulnerable humans. The main tactic here falls under the simple heading of social engineering: the process of getting someone to believe something, reveal something, or do something that works to further an attacker's goals.

Security professionals are in a quandary. Many of them feel that they could build secure systems if only those pesky end users wouldn't ruin everything. Security teams develop robust policies that clearly define appropriate behavior, but the users don't follow the policies; in fact, they go around the policies.

But there is hope. Our job as security leaders is to deal with these issues head on, and that's where this book comes in. Welcome to the world of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. Over the next couple hundred pages, we'll peer into many fascinating (and sometimes frustrating) aspects of human nature. And we'll discover methods and tactics that we can use to shape the hearts, minds, and actions of our end users.

First, let's set the stage. In this chapter, we'll build the case for why a focused approach to security awareness training is critical for our security programs. This is foundational. You can use the information presented here to justify your investment of time and resources working on end-user training. And it provides enough ammo to shut down any naysayers who might argue that security awareness is a waste of time.

Humans Are the Last Line of Defense

Here's the truth: humans are the most important part of your cybersecurity program. Ignore them at your own peril.

It doesn't matter how much money we spend on technology, planning around human factors must be a critical part of the planning and implementation process. Why? Because humans are involved at every stage of the game.

Humans determine the need for new technologies.

Humans determine the need for new processes.

Humans select the technologies to purchase and implement.

Humans define process standards to be followed.

Humans review and tweak the settings of the business technologies purchased.

Humans review and tweak the settings of the security technologies purchased.

Humans design and code the applications you develop in-house.

Humans review the agreements that you have with third-party organizations.

Humans decide how to respond to suspicious incidents within your organization.

Humans decide how to respond to someone trying to tailgate into your building.

Humans make both conscious and unconscious decisions as to how they will react to the systems and information that they interact with each day.

Humans are your employees, contractors, shareholders, and customers.

Everything and everyone in your organization is impacted by the decisions and behavior of other humans.

There are other dimensions as well. Human behavior can range from negative to neutral to positive. Negative human behavior can be either unintentional (negligent) or intentional (malicious). Similarly, human behavior that is neutral, positive, helpful, or good is either intentional or unconscious. Figure 1.1 illustrates this point and can help you see how human behavior can fall into one of four quadrants, or zones. In Part 3 of this book, I'll propose some strategies for how to work with the types of behaviors associated with each zone in Part 3 of this book.

Figure 1.1: Continuum of behavior from unintentional to intentional with malicious/harmful to beneficial outcomes.

As you think about the continuum of human behavior, slow down for a moment and consider the number of human touchpoints in every part of your organization. I'm sure you can quickly see that we do ourselves a disservice by simply hoping that technology-based systems will ever provide an adequate level of protection. When all other processes, controls, and technologies fail, humans are your last line of defense. What are you doing to equip them to be effective?

Data Breaches Tell the Story

Conduct even a cursory amount of research into the history of data breaches and you'll see the danger posed by human errors. Your users—all your users—contribute to the security posture of your organization. This ranges from the decisions and behaviors of your executive team and board of directors to your general end users to your IT staff and contractors. This isn't just an end-user population problem. It's an everybody problem because it's a human problem. As Walt Kelly, creator of the classic newspaper comic strip Pogo, put it when creating a poster for the first-ever Earth Day observance in 1970, “We have met the enemy and he is us.”1

From the issues that we all think about such as clicking a phishing link, falling for more sophisticated social engineering scams, or much more mundane issues such as not securely disposing of documents containing sensitive information, we see that human error leads to data breach. But, here's the problem: as security technologists, we tend to put a disproportionate amount of our messaging and focus around data breaches that occur through technical means. The result can easily be that organizations end up doing a fantastic job helping employees suss out phishing emails but still leave them ignorant and unequipped to make secure decisions across a host of other areas. It's like closing and locking the front door of your house but leaving the garage and back doors open and unlocked. Figure 1.2 provides some examples of both technology-enabled and non-technology-enabled human errors that can lead to security incidents and breaches.

Figure 1.2: Examples of both analog and technology-enabled human errors that lead to security incidents and breaches.

For reference, Table 1.1 shows a quick sampling of some of the major data breaches of the past decade. Because I could fill a book (several books actually) with a listing of data breaches, I'm limiting the list to one significant breach each year.

Table 1.1: Example data breaches and their human factor causes

Year

Organization

Impact

Human Factor Cause

2008

Bank of New York Mellon

2

,

3

Multiple issues contributed to a data breach impacting up to 12.5 million BNY Mellon customers. The first issue was that sensitive data on the tape was not encrypted. Then the tape went missing.The incident was caused by the loss of a backup tape that was handed off to a third party for storage with nine other tapes. When the tapes arrived at the off-site storage building, one was missing; the other nine were accounted for.

Loss of unencrypted backup tape

2009

Heartland Payment Systems

4

,

5

Heartland Payment Systems was breached by hackers using a common SQL injection vulnerability. The result was the loss of 130 million credit and debit card numbers and more than $140 million in breach-related expenses.

Poor coding (SQL injection)

2010

CitiGroup

6

,

7

Approximately 600,000 CitiGroup customers received year-end tax statements with their Social Security numbers printed on the outside of the mailing envelope delivered by the U.S. Postal Service.

Formatting error oversight

2011

RSA Security

8

,

9

,

10

Attackers were able to breach RSA Security's network by sending two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn't consider these users particularly high-profile or high-value targets. The email subject line read “2011 Recruitment Plan.” Seeds for RSA SecureID two-factor authentication token were exfiltrated. In addition to dealing with the public outcry and loss of face in the security community, RSA Security spent approximately $66 Million reissuing physical tokens to SecureID customers.

Spear-phishing attack with malware payload

2012

Yahoo!

11

Attackers embarrassed Yahoo! and shocked the security community by posting the usernames and passwords of 450,000 users associated with the Yahoo! Contributor Network. The attackers used a common SQL injection vulnerability. Adding insult to injury, the passwords that the attackers accessed were in plaintext.

Poor coding (SQL injection vulnerability) and user passwords stored in plaintext

2013

Target

12

Credentials from one of Target's HVAC contractors were stolen via a phishing attack that downloaded and launched malware. These credentials were used to gain access into Target's networks and move laterally across systems. The effects resulted in the loss of data from approximately 40 million credit and debit cards as well as personal information associated with 70 million Target shoppers.

Phishing attack with malware payload

2014

eBay

13

,

14

Credentials from a number of (up to 100) eBay employees were compromised to gain network access. The attackers were able to exfiltrate data from 145 million customers.

Phishing attack leading to credential theft

2015

Anthem

15

The records of approximately 78.8 million current and former customers were exposed as the result of a successful phishing attack potentially carried out by a foreign government. An investigation found that the phishing email was opened by a single employee at an Anthem subsidiary in February 2014, nearly a year before the breach was discovered and reported.

Phishing attack with malware attachment

2016

Democratic National Committee (DNC)

16

It's hard to overestimate the impact that the DNC hack had. As the result of a credential harvesting attack, hackers were able to access the email account of John Podesta, campaign manager for Hillary Clinton. The emails were leaked and were the source of a number of embarrassing media stories that may have influenced the results of the 2016 U.S. Presidential Election.

Phishing attack leading to credential theft

2017

Equifax

17

,

18

The Equifax breach of 2017 exposed the personal information (including Social Security numbers) of approximately 145 million people. In addition to the data breach, Equifax's incident response and public reporting was extremely unorganized and caused great confusion to consumers wanting to know if their data was exposed.

Hack enabled by internal miscommunication and failure to apply patches in a timely manner

2018

Exactis

19

Exactis is a large data broker located in Florida. Security researchers found a fully exposed database containing personal information of nearly every U.S. citizen and millions of businesses. It contained data such as phone numbers, email addresses, personal habits, and information on the children (including age and gender) for each of the named individuals.

Unintended disclosure/misconfiguration of cloud storage

So, what do these incidents point to? Simple: human behavior matters. There are extremely negative ramifications associated with falling victim to social engineering attacks, as well as with everyday mistakes, oversights, and lapses of judgment. We have a duty to instill good security hygiene into our user populations.

RESOURCES ON DATA BREACHES AND SECURITY INCIDENTS

There's no getting around it: publicly reported data breaches and security incidents are a big deal. They provide real-world answers to the question, “What's the worst that can happen?” Data breaches also help organizations see concrete examples of the types of behaviors or oversights that can lead to negative impacts.

Your organization might also find value in using breach-tracking databases to validate your own incident response practices. Do so by creating threat models to see where the security controls broke down resulting in the breach.

Here are links to a few annual and ongoing studies that you should take time to review:

Identity Theft Resource Center (ongoing data breach list and analysis):

https://www.idtheftcenter.org/data-breaches/

IBM Cost of Data Breach Study:

https://www.ibm.com/security/data-breach

Privacy Rights Clearinghouse (ongoing data breach list and research tools):

https://www.privacyrights.org/data-breaches

Symantec Internet Security Threat Report:

https://www.symantec.com/security-center/threat-report

Trend Micro (various reports and studies):

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports

Verizon Data Breach Investigations Report:

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

NOTE

When reviewing each of these reports, it is important to understand that the numbers reported in each will likely differ. One of the main reasons is because the company that is analyzing and reporting on the data may define a key reporting term/category differently than another. For instance, one may have a category for “social engineering” attacks, and another may lump social engineering in with a category like “hacking” or may have a category for “malware” but not account for how the malware got on the system in the first place (social engineering, human error, process error, and so on).

Auditors and Regulators Recognize the Need for Security Awareness Training

What is the goal of an audit or of a specific regulation? Both are really focused around the same thing—establishing and measuring against a specific standard (or set of standards) devised to provide a baseline amount of protection or risk management for an organization. As they establish these baselines, they generally do so by looking at “failure” trends; in other words, analyzing “what went wrong” in the situations that created an awareness for the need for audit or regulatory oversight. And, in analyzing such scenarios, auditors and regulators seek to catalog the discrete factors contributing to the failure. They then postulate the inverse, looking to identify and codify best practices, the controls if you will, that would help an organization avoid that failure in the future.

Given the connection between the human element and data breaches, it's easy to see why auditors and regulators are making security awareness training a key element in their audit and regulatory requirements. To serve as examples, here is a list of ten regulations and standards across a variety of industries that specify the need for security awareness training:

Bank Protection Act

Outlined in 12 CFR § 568.3.

Requires that covered entities provide initial and periodic training of officers and employees in their responsibilities under the security program.

Canada's Personal Information Protection and Electronic Document Act (PIPEDA)

Outlined in Principle 4.1.4.

Organizations must implement “policies and practices” to protect personal information.

Federal Information Security Management Act (FISMA)

Outlined in §3544.(b).(4).(A),(B).

To ensure effectiveness of information security controls over resources supporting Federal operations and assets, such organizations must establish, “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Federal Financial Institutions Examination Council (FFIEC)

Outlined in the Information Security Booklet II.C.7(e).

For covered entities, this specifies management's responsibility to provide training that supports security awareness and strengthen compliance with security and acceptable use policies. Example areas called out for focus include use of endpoint devices, login requirements, password guidelines, phishing and other social-engineering tactics, loss of data through email or removable media, and unintentional posting of confidential or proprietary information on social media.

General Data Protection Regulation (GDPR)

Outlined in Article 39.1.(b).

For covered entities (any organization that processes or retains the personal data of EU residents), the GDPR specifies that a data protection officer must, “monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.”

Additionally, see Article 70.1 (v).

Promotes common training programmes and facilitates personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations.

Gramm-Leach Bliley Act (GLBA)

Outlined in the Safeguards Rule §314.(4) and in the Financial Privacy Rule §6801.(b).(1)-(3).

Ensures proper security-related employee training and management. Provide appropriate safeguards for the protection of customer information against unintended disclosure or misuse.

Health Insurance Portability and Accountability Act (HIPAA)

Outlined in the Privacy Rule §164.530.(b).(1) and the Security Rule §164.308(a)(5)(i).

Requires that covered entities “train all members of its workforce on the policies and procedures with respect to protected health information” and that they “implement, a security awareness and training program for all members of its workforce (including management).”

Massachusetts Data Security Law (Standards for the protection of personal information of residents of the Commonwealth)

Outlined in 201 CMR 17.03.

Mandates training to maintain a comprehensive information security program. The training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be “ongoing” and must be given for not only permanent employees but also temporary and contract employees.

North American Electric Reliability Corporation Critical Infrastructure Protection Standard NERC CIP

Outlined in §CIP-004-3(B)(R1).

Responsible entities “shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive ongoing reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis.” Example communication mechanisms include emails, memos, computer-based training (CBT), posters, articles, presentations, meetings, and so on. They also highlight the need to show management support and reinforcement.

Payment Card Industry Data Security Standard (PCI DSS)

Outlined in requirement 12.6.

Covered organizations must “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security,” and ensure that employees receive training, “upon hire and at least annually.”

LOOKING FOR LINKS TO COMPLIANCE REQUIREMENTS FOR SECURITY AWARENESS TRAINING?

Many vendors serving the security awareness and training market maintain web pages dedicated to cataloging regulations and standards related to security awareness training. Here are a few:

InfoSec Institute:

https://resources.infosecinstitute.com/category/enterprise/securityawareness/compliance-mandates/

KnowBe4:

https://www.knowbe4.com/resources/security-awareness-compliance-requirements/

TeachPrivacy:

https://teachprivacy.com/privacy-training-and-data-security-training-requirements/

Traditional Security Awareness Program Methods Fall Short of Their Goals

For decades in the computer industry and for millennia throughout the history of humanity, those seeking to promote “secure behaviors” have fallen into a trap. They believe that exposing people to the right information will naturally result in those people adopting the appropriate behavior and mind-set.

Those of us who are parents can already see the logic flaw. Just because we tell our kids what we expect, even when we tell them why, doesn't mean that they will do what we are hoping. You can tell them that you want their room cleaned by 5 p.m. And you can show them a picture of a clean room, remind them what a clean room looks like, and even give them a lecture about the virtues associated with having a clean room. But their desire to keep playing video games, with LEGOs, or with their iPhone can easily override your hopes.

Our adult selves aren't any different. Want proof? I think we'd all admit that we, on occasion, disregard what a speed limit sign says. Speed limit signs exist for a reason, safety, specifically the safety of the driver and others on (and around) the roads. And speed limits are a legal control, not just a suggestion. But, how many of us take speed limit signs as suggestions? We read the sign, look at our surrounding conditions (rain, pedestrians, presence/absence of police, our schedule constraints or lack thereof), and make a context-driven risk assessment about how fast we can drive. Our users treat our security controls in much the same way that we treat speed limits: as suggestions or as impediments to progress.

For several years now, I've included the following two phrases in most of my presentations or interactions with security awareness leaders:

“Just because I'm aware doesn't mean that I care.”

“If you try to work against human nature, you will fail.”

Take a moment to review Table 1.2, and think about each of those statements and the related implications:

Table 1.2: The reality of human nature and security awareness programs

Statement

Implication

“Just because I'm aware doesn't mean that I care.”

Awareness doesn't lead to caring. And, if I don't care about something, I'm unlikely to go out of my way to engage with it or perform related tasks.

“If you try to work against human nature, you will fail.”

Humans are wired in specific ways. We don't like to do things that are difficult, awkward, or require change.

So, just giving people good security information won't cut it. In the next chapter, I'll remind you of these statements and implications, but I'll open the doorway to hope by adding a “Resolution” column that will help frame how we work within the reality of human nature. That's really the purpose of this book: to help you overcome the sticking points of insecure human behavior by working with human nature rather than against it. After all, do you care more about what your employees know or what they do?

NOTE

That's really the purpose of this book: to help you overcome the sticking points of insecure human behavior by working with human nature rather than against it. After all, do you care more about what your employees know or what they do?

Key Takeaways

We've reached our first “Key Takeaways” section. I'm including this section in each chapter as a way of helping distill the “So what?” For you, I'm assuming you already knew the answer to that before you picked up this book. However, let me boil down my main thoughts into a few bullets.

Humans are your last line of defense.

Regardless of how good our security technology is or becomes, there will be a percentage of attacks that slip through the technology or bypass the technology entirely. Humans will be your last line of defense in cases where these are not machine-to-machine interactions. Not training employees is therefore unwise and negligent.

Data breaches are a commentary on the importance of end-user training.

In many ways, the history of data breaches and publicly disclosed cybersecurity incidents is a study in how human decisions and behavior are critical in an organizations' security program.

Auditors and regulators advocate for training.

The large body of audit, regulatory requirements, and recommended best-practice standards all point to employee training as a critical element in an organization's cybersecurity program.

It's time to step up our game.

Unfortunately, even when organizations implement a security awareness training program, they fail to do so as effectively as possible for a variety of reasons, but, primarily because they haven't successfully bridged the gap between

awareness

and

caring

or the gap between

knowing

and

doing

. As an industry, we can do better, and we certainly have a lot to gain by doing so.

So, where do we go from here? In the next chapter, I'm going to provide a high-level view of what a more effective and impactful approach entails. Subsequent chapters will break this down even further, examining the different components, subcomponents, and considerations. After that, we will be in a great position to walk through how to put all the pieces together to build the effective and sustainable program your organization needs and your employees deserve.

References

1

.

https://en.wikipedia.org/wiki/Pogo_(comic_strip)#%22We_have_met_the_enemy_and_he_is_us.%22

2

.

https://www.bankinfosecurity.com/bank-new-york-mellon-investigated-for-lost-data-tape-a-862

3

.

https://www.reuters.com/article/us-bankofnymellon-breach/bank-of-ny-mellon-data-breach-now-affects-12-5-mln-idUSN2834717120080828

4

.

https://www.computerworld.com/article/2527185/security0/sql-injection-attacks-led-to-heartland--hannaford-breaches.html

5

.

https://www.privacyrights.org/data-breaches?title=heartland

6

.

https://www.aol.com/2010/03/02/citibank-may-have-printed-your-social-security-number-on-the-out/

7

.

https://money.cnn.com/galleries/2010/news/1006/gallery.biggest_bank_blunders/2.html

8

.

https://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/

9

.

https://nakedsecurity.sophos.com/2011/04/04/rsa-release-details-on-security-breach/

10

.

https://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html?utm_term=.546b71045e1d

11

.

https://www.csoonline.com/article/2131970/identity-theft-prevention/yahoo-security-breach-shocks-experts.html

12

.

https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/

13

.

https://www.pcworld.com/article/2360762/what-ebay-taught-us-about-malware-your-own-data-can-be-used-to-dupe-you.html

14

.

https://www.bankinfosecurity.com/ebay-a-6858

15

.

http://fortune.com/2017/01/09/anthem-cyber-attack-foreign-government/

16

.

https://www.washingtonpost.com/news/politics/wp/2018/07/13/timeline-how-russian-agents-allegedly-hacked-the-dnc-and-clintons-campaign/?noredirect=on&utm_term=.e95de15651be

17

.

https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony

18

.

https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/

19

.

https://www.wired.com/story/exactis-database-leak-340-million-records/

2Choosing a Transformational Approach

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.

Kevin Mitnick, Congressional Testimony, March 2, 2000

Let's start with a simple question: why are you implementing a security awareness training program? That question may seem overly basic, but having helped thousands of security leaders with their programs, I can tell you from experience that most people haven't stopped to analyze what they are really trying to accomplish. Instead, they know that they should “do some security awareness,” but they don't really know what that means, and they don't know where to start. Add to that the fact that most people tasked with running a security awareness program have several other job duties on their plate, and you can see why it's so easy to end up with programs that are ineffective. They end up creating something that may help serve a bare-bones compliance purpose, but then the stack of competing priorities mount so high that the awareness program manager is forced to move on and deal with the other tasks on their plates. In the back of their mind, they know that they should do more, and they have every intention to do more someday, but the daily firefights always push someday further and further into the future.

So, before going any further, I'll ask again: Why are you implementing a security awareness training program? As you think about that question, consider your hopes for the program and your vision of what a great outcome would look like. This chapter will walk you through the premise of what a transformational security awareness program entails and how to begin that journey.

Your “Why” Determines Your “What”

Knowing your “why” may be the best indicator of your likelihood of having an impactful program. That's because having a clear idea of why you are building your program will naturally point to the types of things you'll need to focus on. Said another way, once you have a clear vision of your program's purpose, you can start planning the best way to achieve that purpose: why you are doing it will inform what you should do.

I've found that there are four main reasons (the “whys”) that drive organizations to implement a security awareness training program.

Compliance:

We do it because the regulations or auditors require it.

Information dissemination:

We do it to “get the word out” about policies, expectations, news, concerns, best practices, and so on.

Behavior shaping:

We do it to actively influence and manage the security-related actions of employees.

Culture shaping:

We do it to help mold the organization's collective core values, beliefs, attitudes, and actions as they relate to security.

Figure 2.1 illustrates the four whys.

Figure 2.1: The four main reasons why organizations create security awareness training programs.

We'll explore the implications for each “why” in just a bit. But, for now, be gut-level honest with yourself about your program's driving purpose as it exists today. Also, be gut-level honest about what your current organizational culture will tolerate. Thinking through your answers to questions like the following will help. How much awareness training is enough? What formats for training will your organization support? How often can you train? What are your challenges and limitations? And, how will you know if your program is achieving its goals?

Down the Rabbit Hole

When I was discussing the proposed content of this project to Jim Minatel at Wiley Publishing, he immediately said, “Oh, you are going for a true liberal-arts view of security awareness.” Yes! Jim got it. And I'm hoping that you will “get it” as well because for far too long the security industry has approached awareness in an extremely one-dimensional way.1

The frenetic pace and competing priorities that security professionals face daily is the biggest contributor to one-dimensional thinking and shallow approaches to security training. As you have undoubtedly seen, the negative effects of this are far-reaching. People aren't equipped to make good security decisions. That leads to security failures. And then leaders question the validity of security awareness programs and their ability to provide a positive value. They question not only the ROI associated with the time that employees spent on the training but the value of doing training in the first place.

This leads some within the security industry to advocate the following line of thought: because security incidents still happen in organizations that previously provided security awareness training directly related to a cause leading to an incident, security awareness is of little-to-no value, and only technology will help an organization prevent security issues.2,3

Heck, even respected security experts like Bruce Schneier have made similar comments. In a 2013 blog post, Bruce wrote, “I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater failings in security design.”4 While I have a lot of respect for Bruce, I think that his perspective here doesn't align with reality. I also think that it doesn't align with his broader thinking in the areas of security and technology. As an example, Bruce has a very well-known quote…the one that I used as an intro to Chapter 1: “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”5

So, what does it mean when even our industry's best and most respected thinkers have such contradictory opinions about the value and ability of security awareness training to reduce an organization's security risk? I personally think it signals frustration with the status quo and a hope for something better. We know that current security technologies have inherent failures, allowing for users to make unintentional or intentional decisions that lead to security incidents. At the same time, despite receiving training, users still make these unintentional or intentional decisions.

As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization's security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:

Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)

Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization's defenses, targeting humans instead

Employees who negligently or intentionally circumvent technical controls

Employees who negligently or intentionally divert from the organization's policies, controls, and processes

The interdependency between policies, controls, and processes that exist in the physical world and those of the organization's technology-based systems

The ever-evolving ecosystem of mobile, IoT, and other new technology-based systems that your people will engage with

The reality that digital data can easily spill into the physical world (e.g., printouts, whiteboards, conversations, and so on)

Thinking about this we can safely conclude that the human element of security will always be something that deserves intentional focus. And that's where security awareness training comes in. But it's time to push past the one-dimensional programs that have given security awareness training a bad name. Our goal is to change hearts, minds, beliefs, instincts, and behaviors. All of this means that we need to think broadly and incorporate practices from several disciplines that most security professionals have little experience or expertise in: topics such as marketing, public relations, communication theory, behavior design, culture management, and more.

Transformational programs break from the mundane mold that we've all seen for decades. That means if you decide to implement the concepts presented later in this book, you may be breaking new ground in your organization. Or, maybe you've started incorporating some of these practices already. If so, congratulations! My hope for you is that you'll be further challenged and encouraged to keep going deeper.

This is the point where I get to pretend to be Morpheus from the movie The Matrix. So, here's the challenge. My hands slowly open. In one hand, a blue pill. In the other hand, a red pill…

This is your last chance. After this, there is no turning back. You take the blue pill—the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill—you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember: all I'm offering is the truth. Nothing more.

Morpheus, The Matrix

I see you are still here. Let's begin.

Outlining the Key Components and Tools of a Transformational Program

As we discussed at the beginning of this chapter, it's important to answer the “why” question before deciding on what your program will look like. You need to have an “eyes open” view of what your organizational drivers are because, for instance, if your goal is simply compliance, then you can happily close this book now and go to any one of the great vendors serving the security awareness market and purchase a subscription that will help you quickly achieve that goal. But, remember, you chose the red pill because you know that going the “security awareness simply for the sake of compliance” route is taking an extremely limited view of your responsibility as a security leader. We all know that compliance does not necessarily result in security. If you are already doing something because you need to be “compliant,” then why not do more and have a real impact for your organization and people? Why not do something that is transformational?

Figure 2.2 represents my take on how each of the four “whys” we previously discussed map to a level of effectiveness in impacting an organization's human-based security risk.

Figure 2.2: Your program's goal either will produce limited benefit or can be transformational for your organization.

Awareness programs that focus on compliance or simply sharing information are of inherently limited benefit. Such programs are either overly formulaic, thereby often becoming rote exercises that feel irrelevant and soulless, or focus on information sharing with the futile hope that presenting people with good information will result in those people automatically retaining and applying the information.

But awareness programs can achieve more. Much more. They can be transformational. Our awareness programs can be designed to shape behaviors, change the way employees think, modify their habits and beliefs, and even positively impact the social and cultural fabric of the organization. That may sound like a lofty goal achievable by only a select few willing to scale high mountains in search of gurus who miserly dispense secret wisdom; but, lucky for us, that isn't the case. The secrets of shaping behaviors and cultures stare us in the face every day; they are wielded by communications professionals, economists, psychologists, religious communities, political groups, professional designers, artists, storytellers, sociologists, and more. We just need to enter their worlds.

Consider the groups I just mentioned. Each of them “sells” ideas and experiences with the goal of understanding how to motivate people toward specific beliefs and behaviors. And they each draw from millennia of research and experimentation that have helped shape and refine their practices. They hold the keys that will help us unlock the elements of human belief and behavior. That is the journey that we will undertake for the remainder of this book.

Let's flash back to the two statements that I introduced in Chapter 1 and introduced in Table 1.2: the reality of human nature and security awareness programs.

Table 2.1: Human nature and security awareness programs: statement, implication, and resolution

Statement

Implication

Resolution

“

Just because I'm aware doesn't mean that I care

.”

Awareness doesn't lead to caring. And, if I don't care about something, I'm unlikely to go out of my way to engage with it.

Connect security awareness messaging to topics, situations, and outcomes that your audience will naturally find relevant and meaningful. In cases where the connection is less intuitive, you will need to help them “connect the dots.” Don't neglect the power of emotion and story. The more human the ideas become, the better. Move away from abstract, security-centric information and connect the information to human-centric outcomes, purposes, and compelling visuals.I'll be discussing the nuts and bolts of how to do this in

Chapter 3

.”

“

If you try to work against human nature, you will fail.

”

Humans are wired in specific ways. We don't like to do things that are difficult, awkward, or require change.

When human nature makes performing secure behaviors difficult, you will need to either increase their motivation to perform the behavior (help them remember or understand why it is important), or you will need to find ways to make it easier for them by helping to facilitate the correct behavior. This can be accomplished with technology-based help or by “prompting” the correct behavior at the appropriate time. Even more difficult behaviors can begin to become easy and intuitive when repeated enough times. The goal is to create healthy security habits so that the behavior no longer becomes an exercise in logic but instead becomes engrained, effectively second nature.I'll be discussing how this is achievable in

Chapters 4

and

5

.

“Just because I'm aware doesn't mean that I care.”

“If you try to work against human nature, you will fail.”

When I presented that table in Chapter 1, I included the statement and the implication; then I promised that I'd introduce a column with the resolution in this chapter. Take a look at Table 2.1.