Some times you need to shift your approach.

Show Notes:


Contact Me:

Twitter: @justinfimlaid


Security Awareness is about getting your users to self select to right security behavior when no one else is looking.

As security professionals disseminating security awareness to our organizations is part of our job. It can suck to deliver an awareness program especially in an organization that is too be busy to be bothered by security messaging.

Since it’s October I’ve gotta do one security awareness. I’ve had so many requests In questions for security awareness over the last 6 weeks that it only feels right To get this security awareness topic a little air time.

So Before we get started I think it’s important to establish a baseline.  In the most general terms there are 3 types of security “learning”:

  1. The first one Is Is the term education.  This usually includes a longer-term process intended to provide learning and understanding of a subject matter. A good example of this is a Security professional pursuing an undergraduate or masters degree In a security discipline. The expectation is that during that time while pursuing the degree that you learn a broad knowledge of subjects pertaining to the security discipline.
  2. The second one is training has an narrow scope In that training is intended to ensure an individual can perform a certain skill or function related to their job. Training is usually role based andn the content Is specifically catered to the individual role.
  3. Now, there’s a third type of education called “Awareness” and it is often a side effect of education in training. Awareness Is different from education and training.  Awareness on a topic can be generated by introducing that person to the topic matter or increasing exposure that something happens or something exists.

Using the example of a car, if I educate a driver on the aerodynamics and construction of the vehicle; that same driver will be more aware to the car construction and is more likely to spot when something looks out of place on the car that could impact the vehicles performance.

Using the same example of a car, if I train a driver how to drive the car (role specific training) over time the driver will be become aware to anomalies in the drive.  Maybe the driver identifies or is aware that the ride is becoming rough and subsequently that the tires need to be replaced.

Now, pulling this back to security.  What happens when you don’t have time to educate users or train users in all the ways you want to?  You can still introduce the idea of security awareness to your users.  Since security awareness is the idea of exposing users to security topics or that a security risks exists you can still make them “security aware” even if idea of security doesn’t interest them.

Seems easy right?  If it’s so easy, why is the “human” still considered the weakest security link in any organization.  I see it in almost every organization I meet with.  Most data breaches can be traced back to human error or human oversight.

One commonality I’ve seen over the years is that most organizational technology users don’t have an emotional attachment to work.  They don’t have an emotional attachment to the laptop the organization gives them, they don’t have an emotional attachment to the phone that their company gives them, they don’t have an emotional attachment to the appearance of the corporate application or content of the social media post?

Why? It’s a difference of a company asset versus a personal asset.  The laptop, the phone, the application, the social media post represents another entity–they company.  In a large organization you’re somewhat anonymous in the transaction.  But, the personal laptop, the personal phone, the social media post that’s under your name…it’s different.  You’ve worked hard for those items, it’s your money that bought the laptop or phone, and if you lose it you gotta buy another one or go with out.  If you post to social media under you account you personally have to answer for the content good or bad.  Naturally, you care a little more when it’s personal.

Since the goal of security awareness is getting someone to self select the correct behavior when no one else is looking.  Do you think you’d get a different outcome if people actually cared about corporate assets the same as their personal assets?  Do you think your security awareness program would be more emotionally invested in if people treated their corporate assets the same as personal assets?

So what’s my point? you need to appeal to people on a person level.

If your security awareness program is directed to your users at an individual and personal level then they are more likely learn the topic faster.

What if your awareness program included something like teaching your user how to secure access and privacy settings in their Facebook account?  Then instead of boring security briefings on access management, now they’re getting tangible security knowledge that can be applied to their personal life.  If you had an accounts payable analyst go through that Facebook security training, do you think they are more or less likely to suggest access security controls during the next system implementation or upgrade?

I don’t like to wrap these out without including some tid bits I’ve seen from the industry, so here’s three things that I’ve been seeing in successful security awareness programs:

The most successful security awareness programs I’ve seen have 3 components:

  1. It’s visually appealing, and quickly convey a message in a visual form.  We live in a Instagram world. Proof of this can be seen in rise of Instagram and other social media.  People like pictures, especially unique pictures.  You can get a ton information from looking at picture for even just a couple seconds.  The pictures and posters are different and engaging.  If you have posters in your organization that say something like “it’s not security without ‘u’!” or have a picture of a mail envelope with a fishing line hooking a fish…and your users are yawning…try developing more engaging graphics and messaging.
  2. The message in whatever medium needs to appeal to the user on a personal level.  This is pretty simple in concept and little harder to creatively deliver this.  This requires some to very creative techniques and even enlisting your internal marketing teams (if you have one) or spending time with your users to understand how technology appeals to them on a personal level.
  3. Programs need to address the what, not the how.  Programs that philosophically address what problem is and not how to technically resolve it tends to get more miles per gallon.  What do I mean by this – let’s take an example of a math problem, if you give the users the variable and the equation it become a route exercise of put variables in equation and get your answer.  Unfortunately, in real life you don’t always have all the variables…then what?  Your equation doesn’t compute.  So to encourage critical thinking users need to understand that goal of WHAT needs to be achieved first, when they have a handle on what the goal is then they more effectively figure out the HOW to reach that goal.  In security, we never have all the variables and we have to make some educated guesses…but know WHAT we need to achieve can help better inform HOW we get there.

So to wrap this one up, building security awareness programs is super hard work.  Don’t give up.  The good things in life aren’t easy.