Security awareness training has been around for years. Seemingly forever. At the most security-conscious companies, security awareness training is an ongoing, concerted program that is delivered regularly, evolves with modern-day threats, and tests users on absorption of the material presented. For most of us though, security “awareness” consists of an onboarding requirement and a few security messages that grace our inboxes inconsistently throughout the year. There’s a reason for this: No one likes security awareness training. OK, I suppose there are a number of industry trainers who love their jobs and love talking about security and therefore see security awareness training as the ultimate challenge. But behind closed doors, I would bet that a high percentage of those security awareness enthusiasts complain about having to repeat the same things over and over to achieve minimal results. It’s frustrating that awareness training doesn’t work, especially because humans will always be a target of cyber criminal activity. Social engineering and phishing works. It’s profitable. And awareness training isn’t making the dent we need to improve security.
What should the industry do about it, then? Give up? Invent technological controls that minimize the damage that can be accomplished from a successful phish or set of stolen credentials? That’s one approach. But humans will always be a factor in security, so perhaps it’s time to change tack.
I make my living off the evening news
The problem with awareness training is not that awareness training doesn’t work. In fact, awareness training does work! Rather well. (No, I am not contradicting myself. Hear me out.) The problem with awareness training is that the goal is awareness. Security has achieved awareness. Breaches and ransomware are in the news 24x7 nowadays. TV shows and movies feature hackers—both good and bad—and develop plots that center around cyber crime. Even my 70-something father knows not to click links in emails from unsolicited senders, understands “1234567” is a bad password, and has asked why websites ask for his phone number “as a security measure.” But awareness isn’t the issue. Behavior is the issue.
Knowing not to click on a random link is one thing. Not actually doing it (or clicking accidentally) is another. Creating long, unique, nonsensical passwords for every site and app is an easy concept. Changing all those passwords and remembering them is harder. Yes, security professionals evangelize password managers, but how many organizations have taken the bold step of making them a requirement for every employee? Some companies disable links to email inboxes, but what about the employee’s personal device?
There are plenty of technological changes security can (should) make, but we need the help of humans, too. We need, therefore, to stop providing awareness training and focus on changing user behavior. This is a much harder goal and these changes won’t happen overnight. Why? Because behavior change is hard, habits are engrained, and plenty of people default to what they see/hear/learn in their communities. (The ability to reuse simple passwords across company systems, for instance, is learned.)
Just give me something, something I can use
Innumerable books about behavior change are readily available. For some, very analytical or science-minded people in particular, the tendency is to brush off these types of books as snake oil. However, science is behind a lot of behavior change, and methodical processes (of the same variety we use in security) can be used to alter human actions, our own as well as those with whom we work, i.e., the folks we want to convince to practice better security.
“Stick with It: A Scientifically Proven Process for Changing Your Life—for Good,” lays out a methodology for behavior change, but unlike other books I’ve read (and I’m a pretty big skeptic), the processes here make sense. The author presents 7 principles for accomplishing behavior change:
(And, no, it’s not just because the principles spell out “SCIENCE” that I think this theory has legs.)
In the first chapter, the author writes about stepladders, using small steps to achieve dreams. Dreams are different than goals. In security’s language, the dream would be that users achieve perfect security hygiene. Dreams are long term and require, first, steps then goals. Working backwards, a good goal for users at your company would be to change all system passwords by X date (goals are time bound and can be achieved in 3-6 months). Most people, though, would look at this behavior change and say/think: “The goal is better security hygiene. Let’s make all users change all passwords now.”
You can do that, but in all likelihood you’ll end up forcing users to change all passwords once, then they won’t think about it again until you ram it down their throats the next time. Where’s the behavior change in that? This system works, but it doesn’t improve user behavior and get security closer to the dream, which is better hygiene.
Instead, the security team can introduce stepladders that help users achieve goals (N.B. don’t focus on the dream, “perfect security hygiene.” Focus on the goals, of which password changes are only one). Each step should be small, not terribly time consuming, easy to accomplish, and provide some reward. The first step, therefore, could be, “change your network password.” If your organization uses single sign-on or is federated, voilà! Lots of work is accomplished already. It’s likely, though, that with different systems, cloud applications, etc. your users have a number of passwords that need changing, and each stepladder is focused on those. Additional goals might be getting users to employ password managers or two-factor authentication. Again, you could force this on your organization, but then behaviors don’t become engrained or long lasting.
People love it when you lose
As the steps occur, neither the security team nor users should be thinking about the dream: “perfect security hygiene.” In fact, the trick is to not even focus on the goal (“all” passwords changed) but instead to focus on each of the steps, which are easily digested by most humans. To a security practitioner, this process might seem overly micromanaged, but the fact is, largescale change is hard for everyone, and to users who aren’t thinking about cybersecurity 24x7, changing passwords is a big deal. If it weren’t they’d do it already.
The book provides many other juicy tidbits for positively editing behavior, but in the context of security, stepladders are a great way of moving people toward the security practices we’d like. We don’t need more awareness. Awareness already exists (coworkers have heard us droning on about this for…years? Ever?). Consider what you really want to accomplish—behavior change, not awareness that a problem exists—and take small steps in that direction. We’re not getting anywhere fast with the same old, same old awareness training anyhow.
Learn more about how to lead your security team—and ultimately your organization—to better security hygiene at InfoSec World 2018 in Orlando, Florida, March 19-21, 2018.