Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2013
08:06 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Security Awareness Is Like An Umbrella

A small security awareness program will protect you as much as a small umbrella. So don't complain when you get wet.

If you look at the latest stories about computer hackers, or insiders who are the cause of insider attacks such as Bradley Manning or Edward Snowden, a common theme is the “Human Element.” The stories abound about how better security awareness would have stopped even the most devastating attacks. And that is very true.

At the same time, some people will claim that in all of the cases where a user enabled an attack, there was some form of awareness program in place, and it failed. These people will then go on to make a specious argument that since awareness failed, awareness programs are useless and funds should be reallocated to more technical countermeasures. Those arguments are not only naïve, they demonstrate that the people making these claims know little about practical security programs.

The fact is that all security countermeasures have and will fail. Encryption has failed time and time again. Firewalls have failed to stop attacks. Intrusion detection systems regularly fail to detect intrusions. Anti-virus software fails to stop a large percentage of malware. Access controls fail. Ironically a major reason for this failure is that all of these technologies require a person to properly implement and maintain them.

That being said, even the best awareness programs will fail. However as with all other security measures, failure does not mean that you abandon them or that they are not useful.

Any true security practitioner knows that security is not about preventing all losses, but about mitigating loss. A good security countermeasure helps to prevent incidents from occurring in the first place. However as all security measures will fail, it also helps to mitigate losses once an incident occurs. So security awareness should cause people to not fall prey to attacks, and also to detect and respond appropriately to attacks in progress.

The way to judge whether or not an awareness program is successful is to determine whether the money put into the program is less than the cost of losses that it prevents. The problem is that few people know how to measure the losses that are mitigated. You need to proactively collect metrics to see how a program improves user behaviors. This cannot be accomplished by just surveying people or seeing if they took required training. You need to determine how to measure the underlying security behaviors. This will be the topic of a future article. 

CBT is not an awareness program
In the meantime, it is important to understand what an awareness program is and is not. Specifically, most corporate awareness programs are not really awareness programs. Most programs are limited to mandatory computer based training (CBT) and sometimes phishing simulations. Neither of those tools constitutes an effective awareness program.

Auditors generally consider CBTs to satisfy security awareness requirements of just about all compliance standards. What these CBTs do is provide a base body of knowledge, frequently test people on short term comprehension, and can track people who complete the training. That does not demonstrate that people change their behaviors or are generally more aware.

The goal of security awareness is not simply providing people with facts. The goal is to improve people’s security-related behavior. Successful awareness training is not measured by the number of people who watch a video or click on a basic phishing message, but in their improved behaviors. This requires constant reinforcement of the desired topics, not randomly presenting topics throughout the year.

An effective awareness program engages employees on a regular basis and does not rely on a single format, or presentation of the topic on a one time basis. Security awareness requires reinforcement, like any aspect of human behavior.

It is also important to realize that one program is not right for all organizations. A good program analyzes the business drivers, to determine what topics need to be addressed. It then examines organizational culture to see what delivery vehicles will be most appropriate.  I’ll write more in future articles about the best methods to follow in order to develop effective security awareness programs. In the meantime, you can check out my latest white paper for additional information.

Think of security awareness as an umbrella. Just because you use an umbrella, it doesn’t mean that you won’t get wet. If you use an umbrella once, the umbrella does nothing to protect you from the next storm coming through. Likewise, a small awareness program will protect you as much as a small umbrella. You shouldn’t complain if you get wet.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 2:41:16 PM
Re: Intriguing article
Yes the idea of tailoring security awareness programs to the individual organizations and employees makes a lot of sense. Curious to know if any readers approach awareness in this manner already? If so, how do you design your program and execute it?
clorenzo
50%
50%
clorenzo,
User Rank: Apprentice
12/5/2013 | 4:13:17 PM
Intriguing article

This is a great read Ira. I agree that just because a counter measure isn't effective 100% of the time, doesn't mean it is time to scrap it. There is no cure-all solution to security. I've also seen a lot of companies that have  a "set it and forget it" mentality when it comes to security. The issue with this type of thinking is that hackers and identity thieves are adapting their methods on a constant basis, and technology has inherent flaws since is primarily built to protect against existing threats. I look forward to reading your upcoming articles.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...