The standards imply that organizations should hold annual awareness training, but they don’t specify what these trainings should entail or how to create them. As long as an organization can provide some form of confirmation to potential auditors that employees received some form of annual training, “the box is checked.” Even though auditors sometimes require phishing simulations, the standards provide no instruction for creating the simulations or performing them effectively.
In Chapter 8, I show how you can justify your efforts, even to a tough Check-the-Box crowd, by using metrics to demonstrate the value of your efforts to your organization.
Treating Compliance as a Must
Security awareness programs fail when they treat security as a should-do task and not as a must-do task. Security becomes a mere should-do task when programs seek to influence people to behave securely. These programs attempt to influence users to do the right thing by providing them with more information. Security becomes a must-do item only when users appreciate the consequences of their failings.
Consider awareness programs for sexual harassment, financial compliance, and similar issues. These programs don’t try to influence people to do the right thing — they inform users of their job requirements and the consequences of failing to meet those requirements. Failing to meet financial compliance requirements (such as properly filling out time cards, for example) can result in employees not being paid.
Compliance with a security awareness program that can prevent company operations from grinding to a standstill from a ruined computer network is something that, similarly, must be treated as, well, a must-do task. Security behaviors should be embedded within all business practices — not just added to the process. For example, when you’re authenticating a user for a system, the security checks should be, not an addition to, but rather an embedded step within the overall practice. It isn’t a separate function.
Motivating users to take action
Awareness professionals naturally want to believe that if they inform a person about an obvious concern, that person will take appropriate action, just by virtue of having received the information. In my experience, this assumption too often proves incorrect. Gaining compliance requires much more effort than simply relaying information. You need a detailed strategy, specific to your circumstances, that involves enforcement and creating a culture where everyone implements the expected behavior by second nature as part of their normal job function. (I discuss these strategies in detail in Part 2 of this book.)
Consider how this dynamic plays out in the rest of your life. Most people know that eating healthy foods and exercising can improve their health. In some cases, they even know that they can face dire medical consequences if they refuse to eat well. Yet they continue to ignore the advice. Relating this example to security awareness, the trick is to ask people to do a few simple things differently that will reduce an organization’s risk profile hugely and quickly, not make them into security experts.
Working within the compliance budget
The compliance budget concept highlights how employees at work have a variety of requirements placed on them and their time. They have to balance how much time they use to satisfy various required tasks. The compliance budget accepts that users may well understand the importance of good security practices. It also acknowledges that users may consider other concerns to be equally or more critical. The more embedded security practices are within a job function, the more likely the practices will be implemented.
For example, if a user is running late to a critical client meeting, even if they know that securing the workspace is important, will they run even more late to the meeting to secure their computer and lock away sensitive documents? How do they determine which correct action takes priority? If you portray the security practices in your awareness program as a should-do item, you allow the user to ignore your guidance in favor of more apparently pressing issues. If your guidance is defined as a must-do item, however, it’s much more likely to be followed and implemented.
Limiting the Popular Awareness Theories
This section is probably the most controversial one in this book, as I take on a lot of popular concepts that I consider specious. When I read articles written by seemingly well-meaning security awareness experts, I see them quote scientific studies on psychology and marketing, among other areas, and I hear terms like mental models thrown around. These studies present ideas that seem important, but at the end of the day, I consider these ideas not practical to improve behaviors across an entire organization. I’m not saying that they’re irrelevant, but the focus on these sciences appears to be misplaced (as I discuss in the next section).
Applying psychology to a diverse user base
Yes, psychology can be a useful subject, and it defines the personality types of various people. At one level, by understanding various personality types, you should be able to understand the diverse thinking among your target audience. However, to properly implement psychology as a science as a fundamental part of your awareness program, it involves developing awareness targeted to individual personality types.
Consider that there is no single form of psychology. Consider that a psychologist works with each individual in a way that satisfies that person’s individual needs. Just as some techniques work better than others for various types of psychological problems and personalities, it’s the same for awareness.
IF YOU SEE SOMETHING, SAY SOMETHING
The title of this sidebar represents one of the most effective counterterrorism campaigns ever, used by US authorities to encourage people to report suspicions that might be associated with terrorism. At the same time, if you consider this campaign, it represents why awareness