One step at a time
This colorful image popped onto my screen as I searched our stash of security awareness content for social engineering-related graphics. It's a simple but striking visual expression of the concept that security awareness is not the ultimate goal, but an important step on the way towards achieving a positive outcome for the organization.
A major part of the art of raising awareness in any area is actively engaging with people in such a way that they think and behave differently as a result of the awareness activities. For some people, providing cold, hard, factual information may be all it takes, which even the most basic awareness programs aim to do. That's not enough for the majority though: most of us need things to be explained to us in terms that resonate and motivate us to respond in some fashion. In physical terms, we need to overcome inertia. In biology, we need to break bad habits to form better ones.
Social engineering is a particular challenge for awareness since scammers, fraudsters and other social engineers actively exploit our lack of awareness or (if that fails) subvert the very security mechanisms we put in place. "Your password has expired: pick a new one now to avoid losing access to your account!" is a classic example used by many a phisher. It hinges on tricking victims into accepting the premise (password expired) at face value and taking the easy option, clicking a link that leads them to the phisher's lair while thinking they are going to a legitimate password-change function. Our raising awareness of the need to choose strong passwords may be counterproductive if employees unwittingly associate phishing messages with user authentication and security!
Part of our awareness approach in December's materials on social engineering will be to hook-in to our natural tendency to notice something amiss, something strange and different. Humans are strong at spotting patterns at a subconscious level. For instance, did you even notice the gradation from red to green on the ladder image? That was a deliberate choice in designing the image, a fairly crude and obvious example ... once it has been pointed out anyway! See if you can spot the other, more subtle visual cues (and by all means email me to see what you missed!).
Those occasional flukes we call "coincidences" hold an extra-special significance for us, popping into our conscious thoughts in a remarkable way. As we are routinely bombarded with information through our five senses, pattern recognition is an efficient way to interpret the information flow in relation to our prior experience and expectations (in 'normal' situations), and to identify new or different patterns (something 'abnormal' and perhaps threatening). In the jungle, such a difference might alert us to a well-camouflaged lion lurking among the grasses, a potentially harmful item of food that smells rotten, or the howl of a pack of hyenas closing in. Especially when there's precious little time to react, and failing to respond may be life-threatening, reflexes can literally save our skins.
There are some reflexive aspects to security awareness concerning information security incidents or crises that threaten our personal safety. Mostly, though, we must supplement reflexes with learned behaviors. Awareness starts by pointing out dangers and encouraging/promoting particular responses in a deliberate, conscious way ... but through repetition, rehearsal and reinforcement we aim to make even learned responses subconscious - quick and automatic, similar to true reflexes.
I'm currently working up a suite of 'scam busters' - leaflets that describe different scams, frauds and social engineering attacks (providing information), and explain how to bust or avoid them (motivational guidance and advice, a 'call to action' you could say). Each scam buster fits on a single page, including a distinctive image that, we hope, will catch the eye and pop into the person's memory if they find themselves facing the situations described, or rather variants thereof. I'm in two minds about providing an example of each scam on the other side of the page: sometimes less is more, but briefly describing actual social engineering incidents might help bring home the point that these are genuine, real-world threats, not just theoretical concerns. Some readers will barely skim the front page, others may enjoy reading and thinking on. Either way, it's a win for security awareness.