Ira Winkler

Security Awareness For Dummies


Скачать книгу

added to increase abilities and prompts. You will likely have to work with other teams to accomplish this task, but it’s worth the effort. For example, adding a button labeled Report Phishing Message to an email client can increase the ability to report a potential danger — while also providing a constant prompt. This would likely involve working with the endpoint support team.

      Though behaviors may be related to an individual’s motivation and abilities, you can analyze the behavior at a macro level to identify how to improve the overall motivation and abilities of individuals. You can then decide on ways to improve prompting as well.

      The Forgetting Curve

Graph depicts the Forgetting Curve.

      FIGURE 3-3: The Forgetting Curve.

      This list describes some ways you can try to “interrupt” the Forgetting Curve and slow the rate of forgetting among users:

       Reminders: Provide periodic reminders to refresh and enhance users’ knowledge. These can be posters, mouse pads, or any other “nudge” item that provides a frequent trigger for the information.

       Significance of information: Convey the significance of the information you share in your communications. If users assign significance to what you’re saying, they may automatically (like magic!) embed the information into long-term memory. This can include describing significant harm experienced, or, potentially, penalties for violating the procedures described.

       Memorable presentations: Present information in memorable ways, such as by using humor, outside speakers, or unique formats.

       Show connections: Tie the information to other memorable lessons, such as relating a past incident to how the application of your information could have prevented it.

      

Reminders interrupt the Forgetting Curve and are more likely to result in long-term retention of the information.

      When I speak at various events, I sometimes ask my audience, “Who is a security professional?” Of course, everyone raises their hand, and I reply, “You are all failures.”

      I go on to explain that the dictionary definition of security is being “free from risk,” and you can never be free from risk. Therefore, you will always fail when your stated goal is security. Supposed “security” professionals are charged with risk management, or determining risk and then mitigating that risk as long as mitigating the risk isn’t more expensive than the risk being realized.

      Optimizing risk

      When you create a security awareness program, you want to create the most risk reduction while using the least resources. To optimize your efforts, make it your goal to influence as many people as possible, but don’t expect to influence everyone. You can potentially influence everyone, but that means dealing with everyone individually, and unless you’re in a very small organization, this approach is impractical and too expensive. From a practical perspective, if you spend more on your awareness program than you save through your efforts, your program will be a hard sell to management.

      To discuss risk, you need to have a working definition of risk that you can use to step your organization through the costs and the expected rewards. This should also include the definition of exactly what is at risk. The following sections should help with the process.

      The risk formula

      Risk is what your organization has to lose. Depending on your industry, risk can be a probability or a value.

      To better understand how risk is defined, consider the visual relationship shown in the structure of the following formula, which I call the risk formula.

math

      As shown in the formula, Risk is the value you have to lose times the probability that loss will occur — which makes intuitive sense. For example, if your organization has a value of $100 million and the probability of loss is 75 percent, your risk is $75 million.

      Value is essentially what you have to lose. The probability that you will lose that value is a function of your Threats combined with the Vulnerabilities that allow the Threats to exploit you. If you have no threat, you have no risk. If you have no vulnerabilities, you have no risk. The reality is that you always have threats and vulnerabilities, so unless you have no value, which is inconceivable, you have risk.

      

For a more thorough discussion of risk, see my book You Can Stop Stupid (Wiley, 2021), which covers the subject in detail.

      Value

      Value is what your organization considers an asset. It can be a monetary asset, a reputational value, an intangible value (such as morale), or an operational efficiency, for example. It doesn’t have to equate to money specifically, but there will be a distinct asset that your organization wants to protect.

      From an awareness perspective, you have to ensure that you clearly identify your organization’s assets so that your user population knows what they need to protect. This is one of the motivations to promote to your users to encourage them to more likely enact behaviors.

      Threat

      Threat is essentially the Who or What that can cause harm, if given the opportunity. Most people think of threats as malicious people. They are clearly threats. However, your awareness program is useful only if you believe that providing guidance to well-meaning users is valuable. And it is valuable, as well-meaning users are a more prominent threat. These people lack malicious intent but take actions that are nonetheless harmful because of ignorance, carelessness, or human error, all of which can be reduced by way of awareness. Well-meaning users cause exponentially more loss in aggregate than the malicious actors. The incidents can be significant, but more frequently the losses involve many small-but-frequent incidents that add up. For example, compromised credentials and lost devices