Security awareness isn’t something new. It is a means to educate the workforce, the front line of risk realisation and to create a culture where security behaviour marches triumphantly towards exemplary. This represents a fabulous opportunity to have a tangibly positive impact upon risk. However, in the real world, it is little more than a compulsory undertaking at as little cost and effect as possible. Ask yourself if you can even measure positive behavioural change, let alone do? Bear in mind truly positive behavioural change is a cumulative set of collaborative actions across multiple people and units. More of that later. Let’s start at the basics.
Many organisations have been undertaking security awareness for many years; though I would argue that a large percentage of those are merely paying lip service to a complex area. This isn’t helped by things like the Gartner Magic Quadrant, or the interpretation of regulations, like PCI-DSS, where “at least annually’ becomes an annual tick box exercise. The ethos is lost in the need to tick a compliance box, and thus many organisations frankly waste money, effort and staff time in an utterly pointless exercise. Make no bones, if your awareness program consists of once a year CBT security training, then you are doing it staggeringly wrong. Staggeringly wrong! You’d be better served by simply stopping.
Above everything security awareness is about outcomes. An overarching set of goals that can be achieved or worked towards through coherent and meaningful awareness activities. The goal here is not to be compliant with a standard or regulation. Where PCI-DSS talks about awareness it is not to provide a box for organisations to tick. It is about reducing risk, about protecting cardholder data, it is about having a positive impact.
To have a positive impact in any way, awareness activities must be developed with outcomes in mind. To develop outcomes, you must always consider cumulative effects and dependencies. This isn’t to create some kind of irreducible complexity, but simply to understand how an action or impact in one area creates an effect elsewhere. In its most basic form if you were somehow able to raise awareness across all employees to a consistently high standard then what would be the effect? Again, at base levels, employees would be more cognisant of risk as a concept, more readily identify the manifestation of threats and a reporting culture would be nurtured across the organisation. That in itself sounds great, and without doubt is a positive, however, in terms of positive actions and outcomes across this organisation is this enough? In short, no!
All the above does is to move aspects of risk to another area. Greater awareness and thus greater reporting leads to an overhead onto security investigations and operations. Are the teams, or people, responsible for such able to cope with the demand? Do they in turn have dependencies upon processes, technologies and other teams to effect positive influence upon these investigations? Are they able to mirror any positive behavioural change to ensure positive security actions, or are they a detrimental dependency? Do you even know?
If you do not consider such knock-on effects when awareness activities are developed, even if your awareness activities are brilliant, your effect will be significantly sub-optimal. You might want to consider such teams as well for the insight they can provide in terms of tangible risks parameters to build your awareness around. Again, with simplicity in mind, maybe provide awareness about the actual threats that manifest to the employee rather than some theoretical threats. You know, raise awareness about the contextual threats they face on a daily basis. Make it pertinent to them and the organisation. It does help.
A large part of the problem with awareness and effecting behavioural change to achieve positive outcomes is that the organisation and thinking therein is dislocated. Dislocated from how a risk is realised and the cumulative actions required to mitigate, respond and / or remediate. Dislocated from the processes required to enact such actions. Dislocated from a clear view of risk to enable successful adoption into awareness activities. Dislocated from the overall view of positive outcomes and their make-up.
All this and then consideration to things like styles of learning, timeliness, frequency, appropriate hooks, building affinity and much, much more.
To develop successful behavioural change across an organisation, that has a tangible positive impact upon risk, then awareness as it is done today does not get even close to cutting the mustard. But then, how many organisations are actually trying to drive such change as opposed to simply ticking a box or following the quadrant? That way ineffective change lies. To drive behavioural change, we have to change our own behaviours first and then apply them to our awareness programs, most pertinently in understanding the spiders web of cumulative effects.