Philosophical phriday - cybersecurity awareness month


We should congratulate and support colleagues around the world who have conceived, organised and promoted creative events for October's cybersecurity awareness month.

Seriously, well done all of you. Thank you for your energy and efforts. Thank you for caring. Thank you for doing your bits. Thank you for taking time out of whatever else you were doing, perhaps even allocating some of your budget towards this.

I am being 100% genuine here: this is not a sarcastic piece. I am truly grateful.

Trust me, I know* how hard it is to get any traction in this area, especially for such a diverse and largely uninterested audience as the general public, or for that matter just the workforce of a single organisation. Security awareness is pushing string uphill, a continuous hard slog with little obvious payback or gratitude. Hopefully you delivered successful, memorable awareness events, set-pieces that resonated and set people thinking and talking. Hopefully they have led to actual changes of behaviours, to people taking more care in risk -and security-related decisions, such as "Should I click that link?" or "Is this caller genuine?". 

Hopefully those behavioural and attitudinal changes will persist. I wouldn't bet on it though, especially if your next security awareness push is a year away. Trust me, this is already 'yesterday's news' and within a few weeks will be largely forgotten as we head towards the traditional year-end festivities.
Security awareness decays like a radioactive isotope. Its half-life is measured in days or weeks, months at most.
The obvious response is to schedule an ongoing sequence of awareness activities, topping-up awareness levels at least as fast as they decay ... but there are a couple of obvious issues. 

First of all, awareness activities can be costly in terms of designing and preparing the materials, defining the messages and metrics, organising events and, not least, attending or paying attention to this stuff. There are highly cost-effective approaches for anyone with a creative flair or a little budget. The business benefits of awareness are tough to measure, but a simple approach is to consider the alternative: what are the risks and likely costs of a lack of awareness - either a total absence or the reduction cause by a few of those half-life periods? Just how many incidents involve a significant element of unawareness, inattention and ignorance - 10%?  50%?  More?  [I could make a realistic case for a figure close to 100% but that's a topic for another day].  

Secondly comes the problem behavioural scientists call 'accommodation', where we become so used to repetitive everyday stuff that our conscious brains gradually tune it out. We are easily bored, perhaps even annoyed by frequent humdrum interruptions, so we ignore them to focus attention on other more interesting or important matters. This problem is quite easily addressed too: simply make the awareness activities fresh-as and vibrant, constantly covering new ground.  
 
* A long, long time ago, I came up with the idea of a global security awareness month, an opportunity for infosec pros around the world to collaborate in this endeavour. Despite my best efforts and a flurry of early interest, the initiative was an abject failure that lasted barely 2 or 3 years. But, hey, I gave it a shot. I'm glad to see others making a greater success of this than I could. Good on yer!