While the origin of the recent WannaCry exploit is still under investigation, there is no doubt that humans remain the weakest link in the chain of defense against cyberattacks.
According to the IBM X-Force Threat Intelligence Index, human factors play a major role in various types of attacks. While it’s easy to blame users, many overlook the fact that these individuals can be turned into a valuable asset for an organization’s defense capabilities. A well-aligned, orchestrated security awareness program can unlock this potential, but its success depends on practices beyond the typical security domain — namely, psychology, communication and culture.
From Guidelines to Behavior Change
The traditional approach is to define an acceptable use policy and require users to sign it. This may help to transfer some responsibility to the users, but it does not make an organization more secure at the end of the day. Making users part of your defense requires more than a warning finger; it’s about changing behavior.
While the elements of a security awareness program depend on an organization’s structure, business and culture, human behavior change is based on fundamental principles. The first tenet urges security leaders to include users in the mission instead of treating them as a risk. To be part of the mission, individuals need to understand it, recognize risky situations and react in a proper manner.
Furthermore, successful awareness programs involve other — such as human resources, legal, marketing and physical security — that often have mutual interests. These departments can collaborate to make security awareness efforts mandatory and contribute valuable resources such as funding and distribution tools. Human resources can build security awareness into onboarding and performance management processes, for example.
Keep Your Security Awareness Program Focused
Human factors contribute in many ways to security risks, from dealing with phishing emails to handling sensitive data and interacting with other company assets. It is simply impossible to address all these issues at once. Instead, security leaders should focus on the most severe behaviors from a risk management perspective.
This approach will help to keep messages clear and prevent users from viewing security as an annoyance. Users are confronted with many daily obligations and simply don’t have time to wait for another set of tasks. Therefore, you should split your messages into small portions, assign tasks that take no longer than 15 minutes and distribute the content over a period of time. This approach also makes it easier to keep software up to date.
People consume information in different ways depending on their background, profession and generation. Successful programs incorporate a variety of channels to make the message stick, including newsletters, posters, games, news feeds, blogs, simulated phishing attacks and more. In general, the most participatory efforts appear to have the most success.
Measurement Is Key
If you invest time and money to strengthen your security program, you should be able to report its effectiveness to management and stakeholders. The only way to do this is to collect metrics in advance of awareness efforts. Without this baseline, it is hard to demonstrate success.
Security awareness metrics can include surveys to gauge attitudes and more statistical values such as results from simulated phishing attacks before and after awareness training. It might also be helpful to examine the number of security-related incidents. Measurable improvements, in any aspect of security, will help justify the program and, eventually, obtain additional funding and support.