The security awareness cascade
Awareness and training in general are successful if they change people's attitudes and decisions sufficiently to change their behaviours. Getting them to do things differently (not just 'be aware' in some vague sense) is the aim, the bit that pays off. In the case of information security awareness, if successful it leads to people behaving more securely - stopping or avoiding insecure things, and starting or doing more secure things. Not falling for phishing attacks is a topical example, just one of many.
Knowing how to spot, avoid and minimize incidents is only part of it. Actually doing so is what generates benefits, as phishing incidents fall in number and severity. Workers diligently reporting incidents and especially near misses is a strong indication of a mature level of awareness, with still more benefits for the organization.
We think of security awareness as a process - a cascade or logical sequence of several discrete stages rather than a single nebulous whole:
- First we inform workers about stuff, providing information in forms they can assimilate and relate to. Years ago, informative posters were generally thought to be the way to 'do' security awareness. Today's equivalent, for some at least, is 'infographics': both suffer the same constraints. The information alone achieves little without the remaining stages. It is necessary but not sufficient.
[By the way, planning and preparing the awareness program, deciding what that 'stuff' is, who 'workers' are, how we are going to reach them etc., and managing the program is a parallel activity that starts before stage 1.] - Next we pique their interest, catch their attention and get them to focus on various aspects of information risk and security, for a fleeting moment at least. Workers are busy with their day jobs - we know that and we have to be realistic in our expectations. They are also individuals with individual preferences and needs, in unique personal circumstances, facing situations, challenges and opportunities that are both different to other people's and often dynamic. The personal interaction that happens through facilitated presentations, seminars, workshops, webinars, training courses, quizzes, discussion groups etc. helps lift the information off those static posters, policies and briefings, and resonate with the audiences ... leading naturally in to the next stage ...
- So long as we have their attention, we have the opportunity to persuade and hopefully convince them that there is something they need to do. In Kurt Lewin's classic change model, this is the "unfreeze" step, freeing things up so that change can occur. Crucially, this involves motivating workers, providing the impetus for change. Whereas stage 1 was fact-based, stage 3 aims to elicit an emotional or visceral response. This is probably the hardest and longest challenge in the whole sequence, especially for the rational thinkers among us (as many of us are in IT, information security and security awareness). Workers (human beings!) can't be reprogrammed like robots. We have preconceptions, biases, prejudices, desires, habits and constraints. We have other things on our plates, at home and at work. Some of us resent being told to do anything, and may passively or actively resist (especially if we feel the pressure is inappropriate, excessive or not in our interest). Most of us need a little time and breathing space to consider and internalize things, perhaps chatting them through with others and 'learning by doing'. The surrounding context is important too, for example if our peers and other colleagues are generally supportive and encouraging, we are more willing to go with the flow than if the atmosphere is generally cynical or negative towards information security and the awareness program. In other words, culture has a strong influence, at all levels from national to corporate to team/group/office cultures.
- Provided the preceding stages went to plan and were effective, change for the better occurs here. We stop ourselves clicking dodgy links, sending sensitive messages or firing off angry, inappropriate emails. We start noticing and reacting appropriately to actual and potential threats. We report incidents and near misses. We assist, support and encourage our peers in the same vein, further improving the culture (we hope!). The primary business benefits of security awareness are generated in this stage. The organization becomes more secure, reducing costs and exploiting valuable business opportunities that would otherwise be too risky. We mature.
- Through compliance activities, we lock-in ("re-freeze") beneficial behaviors and generally keep things moving along in the right direction. I've blogged before about the value of reinforcing desired behaviors by encouraging and rewarding workers who do the right thing, complementing the more usual compliance approach of enforcement by penalizing undesirable behaviors. Either way, it is necessary for someone to notice and react to the behaviors (good or bad), an area where good metrics excel. Tests, audits, post-incident reviews and so on are all very well, but the broader cultural aspect comes into play here too. When was the last time you thanked a security guard for doing their job, called the Help Desk back to show your appreciation for assistance in your time of need, congratulated a colleague on reacting to a stray visitor, or spread the good news about a crisis averted? It's not simply a matter of being friendly, polite and considerate: positive communication between people further enhances the culture, security gradually becoming the norm not the exception, "just the way we do things around here".
- The frozen state may not last long before it's time to focus on another issue (the next month's security awareness topic in our case) - lather, rinse, repeat.