This article was written by Christopher Vera, CISSP, HISP, GCFA, GLEG for Sucuri.
Of all the elements of a successful cyber security program, security awareness is probably one of the least understood. Some cyber security professionals have even gone as far as to claim that security awareness doesn’t work. Their observations are not entirely unfounded. The key is that successful awareness programs must provide value to their audiences. When they don’t provide value they are ignored, and thus ineffective, plain and simple. Further, a security awareness program cannot protect a user from everything. With new platform-agnostic attacks bypassing even fully patched systems with host-based firewalls and the most recent anti-virus signatures, it’s easy to throw one’s arms up in frustration. But defense in depth is one of our most trusted principles. We understand that no one security control can protect us from every threat. Otherwise, we’d have tossed out our network firewalls years ago. The advantage of a successful security awareness program is that it’s much less expensive to implement and maintain.
When most people think of security awareness, they generally think of clever websites, e-mails, and posters reminding us to adhere to the organization’s acceptable use policy or to stop clicking dangerous links. But a successful awareness program is more than the sum of its topics or its delivery mechanisms. It’s about changing the culture of our organizations. The agenda of all awareness programs is to change behavior; to replace security apathy with reasonable concern and consideration of security risks. It’s not fast. Success sometimes requires months or years. It’s difficult to measure effectiveness well. It’s as much a marketing campaign as a security control. In short, security awareness is a strategic element to a cyber security program, not a tactical one. This means our security awareness programs must have strong strategies (a topic for another time), and therefore, clear missions.
Let’s be clear about mission statements. They are short statements of purpose that an organization can use to drive strategy and decision making. The mission statement that I created for my own organization has worked so well it has been adopted by my company’s communications department and even external awareness initiatives like “Securing Our eCity” in San Diego, California.
The mission is so simple you may roll your eyes. I propose that the mission of a successful awareness program must be to “deliver the right message to the right people at the right time”.
Experienced cyber security professionals may recognize those words as a succinct description of the CIA Triad (Confidentiality, Integrity, and Availability) and that principle is precisely from where I adopted this strategy.
This mission helps those of us responsible for managing an awareness program focus on the three critical success factors: our audiences, our delivery mechanisms and our messages. These factors are based on criteria unique to our organizations’ needs. But what does it mean? How can we put this into action?
The right people
When it comes to communications, nothing frustrates our audiences more than being distracted by messages that don’t apply to them. If 90% of our audiences already regularly do the right thing, say, don’t connect their personal mobile devices to the network, then why, for goodness’ sake, would we make them sit through one hour web based presentations on about the dangers of connecting personal devices to the network? If an audience isn’t responsible for patching Microsoft Windows systems, why e-mail them monthly reminders about the latest Microsoft vulnerability? Eventually, the message (and our branding) becomes diluted and future messages will be ignored. We have failed to provide value because the target audience rightly feels we are wasting their time. We didn’t care enough to send a relevant message, so why should they care about absorbing it?
Therefore, target audiences must be as granular as we can make them and still manage them successfully. Who should we deliver “don’t connect personal devices” messages to? Only those with a high risk of attempting to connect personal devices! Contractors and vendors come to mind. Who should receive messages about Windows vulnerabilities? Only audiences responsible for patching Windows systems.
The value of our awareness program increases as we tune our messaging for specific audiences that directly benefit (or avoid severe discomfort) from the content being delivered.
The right message
As awareness program managers, we must continually adapt our messaging. Think in terms of timely talking points. Evolving elevator speeches. Our awareness programs must constantly say old things in new ways in order to keep the content relevant to our audience and so provide value. The topics are often the same: passwords, e-mail, web browsing, information management, phishing. But sometimes it’s not what we have to say; it’s how we say it that makes the difference.
Take passwords. Passwords can be an incredibly boring topic because everyone has been told over and over about their obligations to create and manage their passwords.
Does your password messaging look anything like this?
Passwords should be at least 6 characters long and contain at least three of these four: upper case characters, lower case characters, numbers, special characters. It should not be anything found in the dictionary. Oh, and don’t write it down.
Ouch! It’s all well and good, but is as dry as toast and will be forgotten immediately after it is read because its value is limited. Compare that with this set of talking points about the benefits of passphrases.
Instead of a password consider a passphrase instead, which is easier for you to remember and harder for bad guys to guess. Use a mnemonic to make it easier to remember without writing it down. This works for your own personal passwords as well as organization ones. Which is easier to remember and harder to guess using the mnemonic of “fast food”?
In this messaging example, we provide value by giving the audience a fresh way at looking at an old problem, and we make it personally relevant (it works at home too). When we need to share password complexity requirements, say for compliance reasons, we can link to the specific document in policy, standards and guidelines. Audiences that know the password standard can freely ignore the link. Others, like new hires, can click it for more information. This saves everyone time. Now that’s the right message!
The right time
Pop quiz. Many people in our organizations will probably get a virus or other malware this year. When is the best time to warn them not to click on potentially malicious links?
- A month before they click,
- A day after they click, or
- Right before they click.
Timing, as they say, is everything. So it is in our awareness programs. Every time a celebrity dies, or a major disaster strikes somewhere in the world, we quickly deploy prepared messaging (based on templates that can be easily modified to suit the message) using several different delivery mechanisms to warn our high risk e-mail and web browsing audiences to expect scammers to begin sending them malicious e-mails or links to malicious websites. Warning audiences about malicious links after your IT department has responded to 2500 users with malware on their systems is too little, too late. Our goal is to be able to provide inline context-based organizationally branded awareness to our audiences while they are using e-mail or web browsing. Newer versions of Microsoft Office and various browsers try to do this with pop-ups (“are you sure you want to open this?”), but use generic messaging that users tend to click through without a thought.
Often times, well-meaning awareness programs will deliver cookie cutter messaging on a monthly or quarterly basis, hoping audiences will remember that the message they read in January applies to the malicious link they receive in September. No wonder our messaging doesn’t perform to our expectations.
Our audiences have their own jobs to do. They will never understand (or even want to understand) everything we know about cyber security. Provide them value by giving them the information they need to make their life easier. They don’t want computer viruses, or to be held accountable for a newspaper headline because they failed to shred confidential documents. Effective awareness is a critical element of a robust cyber security program that helps our organizations solve problems. This in turn positively influences behavior. Which in turn, positively influences the culture of your organization from one of security apathy into one of security awareness.
The right people, the right message, the right time. I look forward to hearing your own thoughts on the mission of security awareness.
Christopher Vera, HISP, CISSP, GCFA, GLEG is an information security practitioner with over 11 years experience in drafting and publishing security policy, creating and managing multiple computer incident response and forensics teams, as well as vulnerability management, security engineering and security awareness programs. With a degree in Geological Sciences from San Diego State University, he is trained to examine the positive and negative synergies between large collections of systems. He works in the energy industry and is an active member of Infragard. He also writes science fiction and poetry. christophervera.com