something, say something” result from one person’s noticing and reporting certain behavior or an event that other people may or may not notice — and that fewer report.
The campaign tries to reach as many people as possible to inspire one person to take action that others will not. Your awareness efforts aren’t measured by one person’s doing the right thing just one time, but by as many people as possible doing the right things consistently. This distinction is critical. Yes, inspiring one person to report problems that other people miss (or simply don’t report) is helpful, but your job is to significantly improve user behavior across the organization. As you check out this section, consider this context:
Sciences and tools used in awareness are truly valuable only if they can consistently change behaviors across large numbers of users.
Many people confuse behavioral science with psychology. Likewise, they mistake organizational psychology for individual psychology. Psychology can be useful, but you have to understand its limitations. Psychology focuses on individuals, whereas you have to focus on impacting the organization. This is a numbers game. In Chapter 7, where I address a variety of communications tools, I generally recommend that you attempt to use as many as possible. The reason is that people will respond differently to various types of tools and messaging. You need to understand that some types of communications, such as an anime-style video, may intrigue some people and completely disenfranchise others. Though this statement seems obvious, it’s easy to forget when you have your personal preferences.Differentiating between marketing and awareness
Marketing programs create a mental hook in getting people to understand desired actions, and they influence people to take those actions. “If you see something, say something” is a great example of a marketing campaign that produced some noticeable results. (See the previous sidebar, “If you see something, say something.”) Understand, however, that fundamental differences exist between the practical implementation of marketing programs and security awareness programs.
Here are three of the critical differences between marketing and awareness:
Marketing addresses completely voluntary behaviors; awareness behaviors are an expected part of everyone’s job.
Marketing success can be achieved by minimal increases in desired behaviors; awareness programs intend to inspire as much of the user population as possible to practice the behaviors.
Marketing campaigns typically target specific segments of the population to change behaviors; awareness campaigns target as much of the user population as possible.
Marketing is a comprehensive effort to understand and convince a targeted audience to perform a specific action voluntarily. Consider the key points of the preceding sentence: targeted audience and perform a specific action voluntarily. Advertising campaigns target very specific audiences because they need to address messaging specific to the audience. Even individual soda (or pop, or soda pop, depending on your region) ad campaigns target specific demographics. Those ad campaigns then attempt to inspire people from those demographics to voluntarily buy soda. Though soft drink companies want everyone to buy their sodas, they know which age groups and demographics are the prime targets of their products. For good reason, Mountain Dew advertisements frequently feature extreme sports, for example, and advertisements for tonic water usually feature older actors.
You, on the other hand, are targeting your entire user base, which likely contains a multitude of demographics and job roles. Remember that the security practices you promote are must-do items and not should-do items. You’re not marketing a voluntary consumer purchase that they wouldn’t otherwise make. You’re ensuring that all users are aware of the expected behaviors that will keep your organization functioning properly while protecting the organization and its customers.
Even more important, your goal is to have your users practice those behaviors. Marketing campaigns can usually declare success when they have single-digit percentage increases in their audience’s practicing the desired behaviors. For example, if a pizza delivery service can persuade 5 percent more people to order pizza during a football game, that might mean a 100 percent increase in sales — and the pizza seller is delighted. On the other hand, if you persuade only 5 percent of users to secure their workspace, it’s better than nothing — but you still have a massive security vulnerability.
Even the campaign advocating “If you see something, say something” hopes that they can inspire a small percentage of people to become more aware in reporting security exposures, in the hope that prodding one person out of hundreds to report something might prevent a major incident. Awareness programs need to create behaviors that are consistent across the organization. Again, though some aspects of marketing and advertising have applicability, such as understanding the best ways to communicate with your audience, you need to understand that, unlike in traditional marketing campaigns, you’re addressing multiple audiences, with a message that should not be treated as trivially as choosing Pepsi over Coke.
You can, however, make use of marketing principles by realizing the limitations of traditional marketing, when you realize that you need to target multiple audiences, and you will likely need to create multiple streams of communications with different messaging. More important, your messaging should be treated as critically as other serious messaging, such as sexual harassment and fraud prevention. Part 2 of this book covers methods to achieve consistent behavior change across various subcultures.
Distinguishing Social Engineering from Security Awareness
This section is personal for me. I started working in the awareness field as a result of my performing social engineering simulations, and then companies inviting me to come in and present awareness programs that told people exactly how I messed over the company — so that people would know what to look for in the future. I entertained people with my stories that the Wall Street Journal referred to as “… alternating between hilarious and harrowing.” The stories were definitely memorable. When I would later go back to my targets to measure improvements, however, they were small at best.
Consider that just because you can stab a person doesn’t mean that you can perform the surgery to repair the damage you caused. It’s unfortunately easy to physically harm a person with a knife; it takes infinitely more knowledge and skills to use a knife to save the person’s life. It’s a completely different skillset. Having performed social engineering for decades, I can state that it’s easy to trick a user into giving up information. It’s infinitely harder to train an entire population of users not to divulge information on a consistent basis. It’s likewise a completely different skillset.
Social engineering is a broad term for nontechnical attacks to achieve, or support, attacks to access or otherwise target computers or information. Phishing is the most common example, but dumpster diving, shoulder surfing, and telephone pretext calling are also common social engineering attacks. The most iconic attacks are those where someone calls up a user and pretends to be from technical support to solicit their password.
To be good at what they do, social engineers essentially know how to be good liars. They know how to perform transactional influence. They manipulate a user to do a one-time act that they should not otherwise do.
Social engineering requires a skillset that’s completely different from the one for awareness. A social engineer has to find one trick of influence at one given point in time to succeed. An awareness professional, however, has to create consistent behaviors on the part of users with whom they may never have a personal interaction. A social engineer might find holes that need to be fixed, but using an analogy, fixing a hole in a dam doesn’t strengthen the dam as a whole.
Providing information showing