7 awareness lessons care of Ponemon & NIST

I listened-in on a webinar this morning, sponsored by an application security company with a brief contribution from a PCI rep ... but mostly it was Larry Ponemon discussing the findings of a recent Ponemon survey "The State of Information Security Awareness: Trends and Developments".

Let me clear something up for starters: despite the title, the Ponemon survey specifically concerned PCI-DSS security training.

This was a sponsored survey. If you read the Ponemon survey report right to the end, you'll find an appendix stating the actual questions asked, revealing the strong bias towards PCI and hence awareness/training as a compliance issue. I have discussed vendor-sponsored surveys before on the SecurityMetametrics blog.

Larry constantly muddled up 'training' with 'awareness', and it appears the survey did too, perhaps betraying a fundamental lack of appreciation of the differences. These are in fact different activities with distinct if related goals. The report said:
"It is not uncommon for companies with more complex training requirements to implement a hybrid program consisting of multiple delivery options which can include instructor-led courses, virtual instructor-led courses, recorded live presentations, static slide decks, and many others. Additionally, companies leverage newsletters, email updates, posters and other reinforcement assets to keep security in the forefront of their staff’s minds."
By 'hybrid program', Larry evidently means different forms of training, while awareness is dismissed as 'reinforcement'. I refer my learned friend to NIST SP800-50 Building an Information Technology Security Awareness and Training Program:



... and SP800-16 which states categorically:
"Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance."
Larry also equated 'cybersecurity' with 'information security', but (as is so often the way) barely mentioned anything other than IT, data or technical security matters in practice e.g.:
"Focused awareness training can be developed using a tiered approach: all employees receive general content; the IT department receives a more technical layer; and the Web or Networking teams get even more specific material related to secure coding and/or the technologies they use."
The survey's findings are at the same time predictable and disheartening. Just under half of the organizations surveyed run a "formal" security awareness/training program (whatever that means), but it appears many of them deliver just one session per year lasting less than an hour .... presumably a single training course or seminar, quite likely a Computer Based Training session, and most probably compliance-driven e.g. for PCI-DSS. In other words, it's a sheep-dip exercise to tick the compliance box.

Current approaches are not well received:
"64% of survey respondents reported being less than fully satisfied with existing PCI-DSS security training"
Given the above, I am dismayed to hear that companies are spending between $10 and $100 or more per employee per year on such poorly-designed and received security awareness/training programs. That's more than just an enormous waste of money: having ticked the compliance box, management presumably thinks they are doing all they need to do, blissfully unaware of the opportunities and risks they are missing. Management's lack of understanding and engagement with the awareness program is itself a substantial constraint, a risk.

This is a chicken-and-egg situation, a.k.a. the hamster wheel of pain:
  1. Unless management is sufficiently aware, they struggle to assess the awareness and training proposals thrust under their noses.

  2. Inadequate approaches to security awareness and training do not properly address management's needs. Most completely ignore them.

  3. Management is none the wiser.

  4. Goto 1.
In a similar vein, and despite spending so much, only about one in five companies update their security awareness/training content more than once per year. The remainder, some of whom don't update the content at all, presumably view information security as static implying another fundamental failure. Hacking, malware and social engineering attacks are most effective when victims are blissfully unaware that they are being scammed or defrauded, particularly when the attacks are novel. Likewise with vulnerabilities that tend to be most exposed in the early stages, and business impacts that are not usually appreciated until after the fact. Failing to keep up to date with the rapidly-evolving information security risk landscape is another serious yet avoidable risk. As NIST put it in SP800-50:
"An organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements, IT infrastructure and organizational changes, and shifts in organizational mission and priorities. CIOs and IT security program managers need to be cognizant of this potential problem and incorporate mechanisms into their strategy to ensure the program continues to be relevant and compliant with overall objectives. Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.”"
To end, here are seven conclusions that I draw from this episode:
  1. If you think awareness is the same as training, read the NIST standards or Rebecca Herold. These are complementary approaches.

  2. Information security awareness needs to reach everyone in the organization who handles or has access to valuable information. It's not just an IT or technology issue.

  3. Information security is a dynamic topic, hence the awareness program must be kept bang up to date to avoid obsolescence.

  4. In order to secure their support and engagement for the awareness program and the broader aspects of information security, someone must make management security-aware. So start here.

  5. Information security professionals should make the effort to identify and assess modern approaches to security awareness and training before designing their programs, committing to particular approaches and pestering management for money.

  6. Management should expect the infosec pros to compare and contrast a wide range of awareness and training options, digging deep to determine what the proposed 'solutions' will actually achieve. Ask about the learning objectives and business outcomes. Demand a well-researched, well-written, cost-benefit-justified business case and pick out of it the metrics that will both measure and drive the desired results.

  7. Make what you will of sponsored surveys and webinars (and blogs!). Don't swallow them whole. Recognize and adjust for the biases. Get your brain in gear!
Taking the 7th conclusion to heart, what do YOU conclude? Comments are open. Go right ahead. The floor is yours.

* To be fair, this very blog is sponsored by IsecT but I make no bones about that. Be honest, Larry, you're just the piper. Someone else called the tune - someone whose marketing budget paid for the study, someone whose business evidently centers on PCI training. Your calling this a "seminal study" is, frankly, laughable and does your credibility as a scientific researcher no favours.