Skip to content ↓ | Skip to navigation ↓

It was one year ago that noted security practitioner Dave Aitel wrote a piece for CSOonline titled “Why you Shouldn’t Train Employees for Security Awareness,” an article that briefly created stir on the interwebs.

His basic point was that even the most savvy of individuals where security is concerned are still susceptible to ploys that result in serious security lapses simply because we all have exploitable tendencies rooted in our human nature.

Nonetheless, the consensus (sorry Dave) is still such that a robust security awareness program does decrease the likelihood that an employee will open a malicious attachment, click on a malevolent link, or undermine an organization’s security posture by falling prey to phishing or other clever forms of social engineering.

To that end, we spoke with another security icon – Kai Roer (@kairoer) – Senior Partner and Founder of The Roer Group, a European management consulting company that has provided trainings for more than 20,000 people in over 25 countries around the globe.

Roer, who’s blog can be found here, draws on principles from social sciences, effective communications and leadership development, and utilizes them in his infosec work for cultivating security culture.

He is also an author, a university guest lecturer on cybersecurity, and an entertaining and engaging public speaker who is in demand at leadership and security conferences around the world.

Roer – often described as being outspoken on security issues – says his take on awareness (which contrasts Aitel’s view) is probably quite well known by now.

“To put it bluntly, I believe many if not most security pros don’t understand what ‘security awareness’ really is. They do get security, yet it seems very hard for them to realize that people, and training people, is a very different ballgame than security,” Roer said.

“Add to this picture the idea of security awareness being touted a magic pill, and there is no wonder we see a large amount of security pro´s complaining about awareness not working.”

Roer maintains that the reason why security awareness programs are not successful is due to the fact that few security professionals are also in the business of training, nor are they versed in the inner-workings of the human mind, and many lack the communications skills required to successfully convey the security awareness message.

“In other words, more awareness is the answer but only if done correctly, and only if it is implemented as part of a comprehensive security effort,” Roer asserts.

“It should go right up there with your policies, your security metrics, your incident reports and the rest of your controls. It is not a substitute for them, it is a supplement.”

This begs the question of how we can then do security awareness correctly.

Roer says that one option can be to apply methods like the Security Culture Framework, an approach he is spearheading and which will be made publicly available later this year.

The Security Culture Framework uses a process based on four simple steps:

  • Define Your Metrics: Roer says that like most things, if you do not know where you are or where you are heading in regards to security awareness training, it is impossible to reach your goal. So the first step in this framework is to clearly define a baseline as to where current efforts are, to ascertain where you ultimately want them to be, and then to define the best way to measure progress.
  • Organize Your Team: Roer says that if you are under the impression you can accomplish building a quality program without any help, then he guarantees you will fail in the act. This organization step helps you decide exactly who to involve in the process, which tasks you are most qualified to undertake, and which are better suited to be delegated to other business units like HR, corporate communications/marketing, the CFO or the CEO. You will need to understand how best to use these resources and leverage these internal partners to effectively engage the organization’s employees. “Your main job is not to train your employees, but to facilitate the process of creating and maintaining a security culture,” Roer said.
  • Identify Your Topics: This part of the process is where you need choose which topics to cover in your security awareness program based on your organization’s makeup, industry vertical, and overall business objectives. Roer also emphasizes that here is no reason why you should feel like you need to come up with every element of a strategy by yourself when there are plenty of resources in the security community that outline good policies and best practices, so seek them out instead of trying to reinvent the wheel.
  • Build a Game Plan: Roer points out that security awareness training is an ongoing process, and the awareness training program you are building should be too. A continuous game plan will allow you to determine which activities to do at what time intervals, and will also help you determine when you will need to review your metrics and revise elements of the program.

Roer says the Security Culture Framework approach relies heavily on the uncomfortable realization that most infosec pros are really great at security, but most likely will need the help of other key players to accomplish organizational change where security awareness efforts are concerned.

“Culture is the HR department’s turf, communication is the marketing department’s purview, while planning and execution may reside in the project management office or similar, depending on your organization,” Roer said.

“As the security specialist, you should concentrate only on how to facilitate the development of the content and the goals of the awareness program, which is a very different approach than trying to do it all yourself.”

Roer says the individual elements that make up an awareness program – like training sessions, policies, and procedures – are only tools in an artfully implemented security culture strategy, and as such they each play a vital role in its success.

“But ultimately they must serve a clearly defined purpose, and must work together towards a clearly defined goal to have a valid function,” Roer said.

“Without really clear definitions, the activities you engage in will only achieve short-term participation, which is unlikely to yield any long-term results.”

 

Related Articles:

 

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Andre Gironda

    Aitel was discussing "security awareness" for his clients, the customers of Immunity Security. All of these customers are nation-states or financial institutions, usually specializing in total intelligence (e.g. military intelligence, counter-intelligence, security intelligence, et al). These are not your average people and they focus on OPSEC, not phishing-attacks.

    Security awareness programs as a capability or extension of Information security management are indeed what you say that they are, but they must keep up with the times. For example, it would behoove Enterprises to teach mobile device users about rooting/jailbreaking benefits and assume that all end-users do use custom ROMs or jailbreaks. It would be a mistake to not tell Enterprise app developers about intent spoofing or handler injection.

    Usually, when confronted with "security awareness programs", end-users and even professionals are watching a video tape that works about half of the time. The 5-minute video involves men with folk lifts in giant orange 70s-sportcoats. In 2013. And the metrics work somehow!

  • Main points explained in this articles were mensioned by Steven Covey in the seven habits of highly effective people. I found this nice review here