The 2019 SANS Security Awareness Report: Awareness Training Is Rising

The Case for Security Awareness Training

Cybersecurity and cyber security awareness are critical to business survival in an era dominated by growing virtual crime. It might be true that most people know about costly identity theft and reputation-destroying network hacks. Organizations spend millions every year trying to defend themselves against cybercrime, but still, attacks seem to be more and more successful. What is the problem? Bruce Schneier said “that security was a combination of people, process and technology.” Without an embedded culture of cybersecurity awareness and enforcement, all of those fancy and expensive systems aren’t going to do much good. At the end of the day, your employees remain your organization’s weakest (or strongest) link in the cybersecurity field. It’s called “the human factor.” Criminals know the easiest way to access secure networks or steal data is to target people who already have access and steal their login credentials and other critical info. ENISA defines cybersecurity culture as “the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people’s behaviour with information technologies.” The current organizational cybersecurity posture justifies the need for cybersecurity culture. The majority of data breaches within organizations are the result of bad actors, and while cybersecurity policies are commonplace among organizations, employees may view them as guidelines rather than rules. Similarly, technologies cannot protect organizations if incorrectly integrated and utilized. According to ENISA, the purpose of developing a cybersecurity culture is to achieve a change in mindset, foster security awareness and risk perception, rather than attempting to coerce secure behaviour. This is where security awareness training comes into play. It is meant to equip employees with the knowledge and skills they need to protect themselves from criminal elements. Employees can be your strongest asset and become your first line of defense against online crime.

The SANS Report Key Findings and Discussion

The 2019 SANS Security Awareness Report represents data aggregated from 1570 qualified security awareness professionals from around the world. The main purpose of this annual report was to outline what enables organizations to create thriving programs, to uncover potential pitfalls and to examine how to address these pitfalls. Ultimately, its data data helps to identify how organizations manage their human risk to include security awareness program maturity, funding and staffing.

The Five Distinct Stages

In its report, the SANS Institute measures the success of security awareness programs against a standardized Security Awareness Maturity Model. According to the Model, there are five distinct stages. Non-existent implies that an awareness program of any capacity does not exist. Compliance focused means that the program is designed primarily to meet specific compliance or audit requirements with training that is limited to an annual or ad-hoc basis. Promoting Awareness and Behavior Change means that the program goes beyond annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change at work and at home. Long-Term Sustainment & Culture Change means that the program has the processes, resources and leadership support in place for a long-term lifecycle and that program and cybersecurity are established parts of the organization’s culture. Finally, the last stage Robust Metrics Framework reinforces that to truly have a mature program, you must not only be changing behavior and culture, but you must also have the metrics to demonstrate that change. As an overall finding, the survey demonstrates that over the past three years, there has been a continuous decrease in the two most immature stages, non-existent programs (from 7.6% to 4.36%) and compliance-focused programs (from 27.1% to 21.1%). At the same time, there is a clear increase in the two most mature stages, culture change and metrics framework (up 5% each). This demonstrates a slow but steady increase in program maturity over the past three years.

The report's key findings are the following:

1. Lack of time and staffing were some of the top reported challenges facing security awareness professionals. Even so, over 75% of security awareness professionals said they spent less than half their time on awareness. This is concerning given the fact that the report found a statistically significant correlation between the reported maturity level and the percentage of time devoted to the program. Security awareness is still too often perceived as a part-time job; inadequate investments in awareness programs affect organizations' ability to mature their own programs. Simultaneously, the survey data revealed a strong correlation between the amount of people dedicated to running an awareness program and the maturity of this awareness program. The more people you have, the more mature your program, the report found. It’s incredibly difficult without full-time dedication to grow any program beyond compliance, as raising awareness means talking to, engaging and collaborating with others and that takes time.
2. The above finding is closely related to the job titles of those who run security awareness programs. The survey found that less than 10 percent of the job titles had the words "awareness" or "training" in them. Most of the job titles are technically focused, such as InfoSec Staff or InfoSec Manager. This once again demonstrates the part-time nature of this role and the overall immaturity of the security awareness industry.
3. Leadership support is a key factor for program success. It also highlights the importance of ensuring that leadership is aware of the investment made by peer organizations in information security. The survey results show that an effective way to garner leadership support is to leverage peer comparisons via benchmarking. Among those organizations whose leadership believe that their peer organizations are investing significantly, 69 percent of them are treating security awareness training as a top priority. This is nearly 10 times more in comparison to those organizations whose leaders do not perceive their peers as investing in awareness.This underscores the importance of security awareness training as an enabling factor.
4. Speaking about enabling factors, the survey also examined various blockers and supporters to awareness programs. Not surprisingly, the strongest supporters are the IT and Security departments, followed by Legal and Senior Leadership. The main blockers to such programs come from the Operations and Finance departments. This is because most awareness programs have a significant budget and operational impact on the organization. This finding underscores the necessity of effectively communicating the benefits of these programs by demonstrating the value of the positive impact the program can have on the organization’s overall mission.
5. The last finding is a direct consequence of the above one. The demographics of this year’s survey showed that a majority (80%) of awareness professionals came from some type of technical background. Although a technical background is an advantage because you have a thorough understanding of the technologies and the risks involved, the challenge is that “techies” often lack the soft skills to effectively communicate those risks and engage employees in a way that changes behavior.T his lack of soft skills is closely related to a cognitive bias called “The Curse of Knowledge” where the more expertise a person has on a subject, the more difficult it can be for them to teach or communicate about it. Security professionals often perceive security as being “simple” because it is part of their daily business doing. Based on this bias, they tend to make assumptions that security and technology are “common knowledge” for everyone else, and they then often build their awareness program based on these misconceptions. As a result, what experts tend to communicate might not align with what non-experts need to comprehend and apply.

Conclusion

Achieving a security awareness maturity is a hard task to do. While there is a general tendency to isolate individual employees as the cause of security-related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making data-driven decisions and consistent systemic training investments. After all, cybersecurity is a shared responsibility, is everyone’s job.