Security awareness: how not to do it

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item, you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious perspective to express in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond.

Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs.
  1. The 'awareness program' I tried takes the form of a website and simple (first generation) Learning Management System, basically a series of web pages plus questions covering a range of information security topics. There was almost no introduction, explaining why I might want to pay attention (presumably because the only way anyone can be persuaded to do this stuff is if management cracks the big whip). There was very little latitude for the user in sequencing the topics - just start at the first and proceed one by one until you reach the end. If I had questions about password construction, for example, I had to have answered the first nine of 15 modules to get to number 10 on passwords. The only concession to usability was that I could have interrupted the flow (in between - but not during - the modules) and could return later to the saved checkpoint.

  2. The information pages appeared to have been lifted from existing materials - policies and guidelines, complete with legalese and cross references (which didn't work since there was no way to alter the delivery sequence of the awareness package, and there were no active hyperlinks). There was a lot of tedious content to read. I suspect that much of it would have gone right over the heads of many of the employees taking the course, even those diligent enough to read every tedious word. Worse still, there were inconsistencies within the text, sometimes direct and explicit contradictions - for example in one paragraph stating that limited personal use of corporate IT facilities was permitted with various caveats, and two paragraphs further on stating that corporate IT facilites were only to be used for legitimate organizational purposes.

  3. The quiz questions were mostly idiotic. It is common practice to include one obvious distractor in a multiple choice question, something that is clearly wrong. However, some of the questions had 2 obvious distractors with only one remaining option. About a third of the questions showed no creativity whatever, being merely "true/false" or "yes/no" choices. In most cases, the correct answer was easily identified from the quiz alone i.e. without needing to reference the information previously presented, typically because it was the longest and most legalese answer and/or it repeated key words from the question. I had to try especially hard to answer anything wrong ...

  4. When I entered an incorrect answer, the system told me it was correct and highlighted the correct answer in bold. It gave me absolutely no further information about why my chosen answer was wrong or why the correct answer was right. There was no opportunity for me to go back to the information page to re-read and check my understanding - in fact the introduction to every module said I could not return to the information page after starting the questions. In other words, this was really a quiz not an awareness activity.

  5. At the end, the system told me "congratulations", emailed me a certificate of completion (whoop whoop! Lashings of ginger beer all round, I've got a CERTIFICATE!), and finished with "See you next year!" SEE YOU NEXT YEAR!! Oh boy, it seems this is a once-a-year process. I will have trouble remembering all that content tomorrow. I will probably forget chunks of it and important details by the end of this week. Next month, I will have forgotten I even took the test and wrote this rant. What's the point of once-a-year anything? Imagine if, say, learning to drive a car was done this way! Or sex!

  6. Some of the information and questions were inaccurate, ambiguous or misleading, occasionally technically incorrect. For example, a "complex password" that fulfils the corporate minimum specifications (8 characters, mixed case with numbers) is actually WEAKER than a substantially longer password example. There are indeed "more than 97,000 viruses" but that data item is, oh, about a decade out of date. There were grammatical errors and logical errors too. I admit to still being in a particularly picky and cynical mood today but these problems should have been addressed by more careful proofreading before this was released for use. It is being used to assess tens of thousands of employees in an organization for which information security is extremely important. Couldn't they afford to pass it by a competent reviewer first?

  7. There were 15 modules. I'm a lightning quick reader and an infosec professional. It took me about 5 to 10 mins to read each module and do the quiz. That's an hour or two facing the little screen - many employees would need much longer. It was a totally humorless, soul destroying and, yes, boring exercise. Almost entirely text, with no diagrams and only a few nasty cartoon icons for company. I came away thinking "Thank , that's over for a year!". It was a distinctly negative experience, equating information security with tedium and slog. Q: What's in it for me? A: Nothing. In fact, the entire perspective was around protecting the organization's interests, not the indivudual user. Maybe if it had explained why installing and updating antivirus software on my home system would help protect me and my family from identity theft, then I might just have paid more attention.

  8. Some modules appear to have been updated, including a couple of mentions of a major information security breach that hit the news headlines, oh, about 2 years ago. All the impact has gone. Old news is an oxymoron. Its such a shame because the news media, IT press and infosec specialist press is full of highly relevant, topical and, dare I say it, INTERESTING news and incidents. Even better, the organization has undoubtedly suffered infosec incidents that could have made even more relevant and interesting case studies. But no.

  9. Some of the modules mention (relatively) new infosec risks, including social engineering. Great! Unfortunately, they provided no (zero, nothing at all) advice on what I ought to be doing about the social engineering and similar 'new' threats such as wireless network hacks. "X could be really nasty! It's a big issue! You're on your own kid!" is hardly the most productive awareness content. I wonder if this is partly because someone would have to create (and ideally proofread!) new content ... and if there is nobody on the payroll with the competencies and time to do it, that means going back cap-in-hand to the supplier of the "leading edge online information security awareness and training" pup they've been sold.
OK OK I'm ranting I know, but the reason is to point out that:
  • With little investment and even less thought, security awareness can be done really badly;

  • Bad security awareness is unlikely to be effective, and in fact could be counterproductive;

  • The ineffectiveness of badly designed, constructed and delivered awareness programs says nothing about the potential for well designed, well constructed and effectively delivered programs; and

  • It doesn't take a genuis to figure out how to improve security awareness, especially when starting from such a low base. A 20 minute team seminar about information security would have achieved so much more than this hour or two of extreme tedium. Almost ANYTHING else would have been better!
I cannot understand why security awareness seems to be stuck in the mold of once-a-year inform-and-test (I used to call it the "sheep dip" approach to awareness, but subsequently found out that sheep are dipped more often than most employees are made to jump through the awareness hoops!). It's high time for a new approach and some fresh ideas. ISC2's Cyber Security Awareness Resource Center offers a range of freely available creative materials and ideas. Rebecca Herold's wonderful book "Managing an information security and privacy awareness and training program" is full to the brim with sound advice.

Security awareness is dead. Long live security awareness!