Get SMART About Your Security Awareness Program
by Joe Knape
There are a lot of opinions about security awareness programs, what they should look like, what they should cover, whether they work at all, etc. Recently you’ve even read a few posts on the Security Catalyst blog about awareness training. In addition, there has been a lot of “research” and pontificating about why security awareness messages seem to consistently fail in their desired mission and what changes can be made. This research typically focuses on the psychology of the end user and how to craft the message for specific audiences to make it more effective. With all due respect to my fellow Catalyst contributors and to all the awareness “expert” out there, I think they miss the point. The point of security awareness programs is not to see how cool, hip, or clever the message and the delivery method can be but to change the way people think and act about information, both their own and others when applicable. The point is to get people to want to protect that information from prying eyes or accidental disclosure. What I recommend is that instead of looking deeper into the psychology of the user, or trying to find the next viral communications technique, security awareness program developers should look at methods and messages from other areas where communication to a vast number of different people has been necessary and where those messages have been effective over time.
For example, how many of the following messages or sayings do you remember and act on whether you know it or not:
Click it, or ticket; Buckle up for safety; Don’t mess with Texas; Only you can prevent wildfires; Don’t talk to strangers; Look both ways before crossing the street; Friends don’t let friends drink and drive; Loose lips sink ships; Do not leave your bags unattended.
You get the idea. So, what do all of these messages have in common? They’re all S.M.A.R.T messages. What does S.M.A.R.T mean?
S stands for Simple, bordering on the simplistic; the message should not be long, or difficult to understand. It should be crafted in such a way that the mind can register and retain it with very little effort.
M stands for Meaningful; Similar to Actionable below, messages without context are ineffective at best. A meaningful message is one that communicates information that is both useful for the security posture of the company AND for the target audience Take “Only you can prevent wildfires” for instance; the point of this message isn’t only to protect the forests and parks but also to protect the individuals and families in those forests and parks.
A stands for Actionable; the message should have some element of what to do or not, something that the audience can latch on to and start performing immediately; Do lock your computer when you are away from your desk; Don’t let other people enter behind you without a badge.
R stands for Repetitive; No matter how well crafted your message, or how much time and effort you might have put into it, sharing it once a year is not going to be enough. S.M.A.R.T messages are crafted in such a way that they can be delivered over and over again using different venues and methods (e.g. posters, email signatures, phone messages, etc.) without overwhelming the audience.
T stands for Targeted. I said in a previous paragraph that modifying a message to take the psychology of your intended audience into account misses the point. However, targeting the audience based on delivery method is something that works. Some people pay attention to posters, others to emails, and others to phone calls. Targeting specific users with specific messages doesn’t make sense, it’s costly and redundant, but targeting specific users with the WAY the message is communicated, that makes sense and is relatively straightforward to do. Basically you craft the S.M.A.R.T message and communicate it in as many different ways to all of your target audience as you can. Not only does this make sure that the message is transmitted multiple times, but it covers the range of how people learn since they will be seeing it (posters), reading it (emails) and hearing it (telephone, loudspeaker, audio email, etc.).
So there you have it. Keeping your security awareness messages S.M.A.R.T. should make your training and awareness group more effective and more efficient and keep your audience from saying they wanted to follow the program but that the program “missed it by that much.”
When You Hear Hoof Beats, Don’t Look For Zebras
By Joe Knape
The title of this post is an old medical school adage. It suggests, loosely, when a doctor learns of symptoms, usually the most common cause of the symptoms is the culprit. The challenge of knowledge and experience is the natural desire to consider extremes, often in the pursuit of diligence. This adage is a simple reminder for doctors that a fever is more likely a cold or flu – and not Hemorrhagic Fever. Philosophers and logicians have a similar saying known as Occam’s (or Ockham’s) razor, named after a 14th-century English logician William of Ockham. In the Latin it is lex parsimoniae: “entia non sunt multiplicanda praeter necessitatem” but in English we know it as “All other things being equal, the simplest solution is the best.”
These principles are important to the way we practice information security, assurance – or as Michael likes to say, “the way people protect information.”
Sixteen years ago I worked for a husband and wife who ran a software development house in a small town in Oklahoma. It was my first real job with computers and my first real job since I’d gotten out of the Navy. One week I was sent to a training class in Dallas, Texas and while there the other students in the class started sharing the tech version of “war” stories. One story, from a man who lived and worked in an even smaller town in Alaska, has stuck with me to this day. John (not his real name) was the system administrator, technical support, cable puller, software installer, you name it, for all the government offices in this town in Alaska. John explained he was constantly called by one of the city secretaries complaining she could never access any of the files she was saving. She went on to explain to John that she was following all of his instructions to the letter, the system was giving all the proper indications that the files were being saved, etc.
It is important to remember was computing was like 16-20 years ago! The system was using, at best, 5.25″ floppies for storage (do you have any of those lying around?). John was stumped after spending several days and many hours on the phone with this secretary trying to troubleshoot the problem. In the process, he replaced the hardware, installed new software, testing every component of the system he could think of and explained the process with her again. Exasperated, he finally decided to just sit back and watch her work one day. As the day progressed, John was actually impressed with her proficiency. As she completed her tasks for the day, she put a brand new floppy into the drive, successfully saved her work, removed it from the drive, and promptly swiveled around in her chair, rolled the floppy into her typewriter, and banged away at the keys so as to label it. John says when he saw that he laughed so hard he fell out of his chair.
The lessons I learned from this story, that stick with me to this day:
- While it is sometimes fun, in a perverse way, to imagine that the events in our daily professional lives parallel those in the book “The Cuckoo’s Egg“, or the movie “Sneakers”, when something goes wrong with a system or data or connection that is under ones purview, the vast majority of the time the culprit will be a poorly trained worker, or a well-meaning admin just trying to get their job done,
- When trying to identify and quantify risks to the business, be realistic and focus more on what might actually be threats to the business and less effort on über-hackers, or flying ninja monkeys, or marauding foreign governments, and
- Save yourself some time and aggravation by keeping John from Alaska and William of Ockham in mind and “when you hear hoof beats, don’t look for zebras.”
Avoiding the Best Practices Trap
By Joe Knape
“Best Practice is, however, often a misused term. It is frequently used to support politically correct ideals which, in reality take no account of individual need or circumstances. In this sense the ensuing practice is far from ‘best’ when the resulting effects are contrary to the real ideal situation. It is also used to prevent challenges to rules and systems that are, in reality, not best practice.”
– Wikipedia (http://en.wikipedia.org/wiki/Best_practice)
As suggested by the Wikipedia entry, “best practices” often fall short of being best. Worse, blind adoption of such practices in a rapidly evolving field leads to stagnation in thinking and innovation. Best practices can even make things worse – by increasing risk — while leaving no way out for those trying to actually make a difference for the better. For example:
Take, for example, anti-virus software. There have been multiple studies that have shown that the effectiveness of anti-virus software has been decreasing in recent years. One such study is described here http://www.heise-online.co.uk/security/Antivirus-protection-worse-than-a-year-ago–/news/100900.
Additionally, due to the pervasive nature of anti-virus software, any time a new device or access mechanism, say cellular phones or other portable “smart” devices, is being considered one of the first things that comes up is whether there is such software available for said device regardless of whether there is any real threat that exists and regardless of whether any risks might be actually mitigated by the use of such software. Now, am I saying that anti-virus software shouldn’t be installed? No, I can’t and won’t answer that question for you or your company.
What I am saying however, is that the implementation of anti-virus software tends to give people a false sense of security and this inability or unwillingness to look past anti-virus software at other viable solutions even when confronted with evidence of its ineffectiveness leads companies to unknowingly accept higher risk and makes it nearly impossible at times for security professionals who understand the risks and rewards involved to suggest and actually implement other, more innovative, and possibly more effective methods.
As we welcome a new year, we welcome new opportunity. One such opportunity is for security professionals to work together to rely less on ‘best practices’ and focus more on…
When you hear the term ‘industry-best practice’ ask yourself these questions and then try to stem the tide before the flood begins and it is too late:
1. What is the definition of “best” and do you agree with it?
2. What is the basis to determine if the authors of the ‘best practice’ are competent, complete and suited to your situation?
3. What initial conditions or assumptions are necessary for the ‘best practice’ to be useful and does my current situation meet them?
If the answer or answers to any of these questions tend to leave you doubting the veracity or effectiveness of the “best practice” then maybe that particular practice shouldn’t be implemented since most likely it is simply some process or procedure that originated from some failed or failing initiative that will eventually go sour and make things worse in the long run.
Of course, that’s easier said than done but since the Security Catalyst Community is here to help we will be offering some follow-up blog posts to address such questions as, how to use the rejected practices to discover and document possible alternatives, how to use what you discover to push back properly, and what to do in the all too often case where the practice is implemented regardless of the forces mustered against it.
Doing The “Right” Thing
By Joe Knape
The focus of The Security Catalyst is “Changing the way people protect information.”
Despite the deep respect I have for Michael, I’m skeptical that can be done. Before we can change the way people are protecting information we have to get them to protect it in the first place.
My experience of the last 15 years or so has caused me to come to the conclusion that people don’t want to protect the information they are responsible for. Sure, one hears a lot of talk about frameworks and strategies and processes and I see and have helped to implement some clever, and some not so clever, technologies and point solutions, but it is rare indeed that I have seen individual information security professionals, much less entire groups or organizations, proceed like they actually want to protect the information.
We all know what we should be doing to protect the “important” information. We don’t do it because it might be hard or it might take a lot of time or money or resources (debatable but I’m thinking like an accountant) or it might upset someone else in the company. What I’m saying is, the “right thing” may not be easy, but it is always the right thing. You want to protect your information? You want to protect my information, or my mom’s, or my brother’s or whoever else’s? Because, honestly, the information you’re responsible for isn’t really yours, it is your customers’ and your customers’ are your friends, your neighbors, maybe even your family. Maybe by putting a face on the information you will be motivated to do the “right thing” no matter how hard you think it is or how much pressure you might get from the powers that be.
So what is this right thing? Simple:
- Identify what is considered “important” information to your company. Is it customer data, sales leads, intellectual property, etc.?,
- Find ALL of your “important” information. Search every laptop, desktop, server, and database,
- If the data doesn’t absolutely need to be where you found it, scrub it; if it does need to be there figure out a way to keep it safe and do it; encrypt it, anonymize it, put it in one or two central locations to be accessed “online” only, I don’t care.
Again, none of the above is “rocket science” and some of it may be extremely difficult, but it is RIGHT. So I ask you, for my sake, and the sake of my mom and dad, my brothers, and my friends, stop doing the easy thing and start doing “the right thing”.
Note from Michael Santarcangelo: for a complete answer to this challenge and more insights on how to successfully address this change, please read Into the Breach. 
How to Get Four Aces and Go Home Happy (Part 2)
By Joe Knape
In my last post, “Know the spACE”, you read about how to become familiar with the industry your company is in. This is important to a security professional when trying to determine not only the risks a company might be exposed to but also in setting priorities for the people, processes, and technologies of a security program.
In discussing the second of “The 4 ACEs”, we look at ways to narrow the focus to company specifics.
“Know the plACE”
I have a pop-quiz for you. When you read the applications for magazines do you put any time and effort into actually answering those questions? You see, the ability to answer those questions is a good test of how well you truly know the company you work for. Following the suggestions in this post will put you in a better position to not only answer those questions more accurately (whether you actually do or not is irrelevant and in fact your company might actually disallow you from doing so) but you will also be in possession of a much more accurate understanding of your company.
Here is a closer look at the types of questions that are asked in a magazine subscription request:
- What is your company’s primary business? (covered in “Know the spACE”)
- How many business technology projects will your company initiate in the next 12 months?
- What is your company’s annual budget for ?
- What is the total number of employees for your entire organization?
- What is your organization’s annual revenue?
You may not be aware, but there are a few different ways to gather this information. In fact, you might be amazed at the level of detail that can be found at sites such as the U.S. Securities and Exchange Commission (http://www.sec.gov/edgarhp.htm) or in Hoover’s “company capsules” (http://www.hoovers.com/free/).
For more detailed information, such as budget numbers and the like, take a look at any annual reports that are published by your company. NOTE: this is also useful for consultants and of course, your attackers.
For privately-held companies this kind of information might be more difficult to find online so your best bet is to ask around. Reach out to the folks working in the other departments. As long as they’re not legally or ethically bound to withhold the information from you it never hurts to ask. Find out:
- What your salesmen are selling,
- What your marketing folks are marketing,
- What the budgets for this year are for not only your department but as many of the others as possible.
- Ask WHY your group got the dollars that they were allocated this year; Was it a dollar amount that was asked for or mandated?
- Does your executive management hold “roundtables” or quarterly conference calls?
- Are you attending them?
- Are you paying attention?
- You should be.
Now, at this point you might be thinking to yourself, “I don’t have time for this! I’m so busy that I’m not getting my “real” job done as it is. How can I possibly shoehorn in another task?” Believe me I know exactly how you feel but can I let you in on a secret? Once you get past the initial intelligence gathering activities discussed throughout these posts, keeping up to date won’t take you long at all. I would say that all in all I personally spend an average of less than 10 minutes on any given day. I’ve established a routine that consists of perusing my company’s homepage for any updates of note and keeping an eye on the Internet for any relevant news items (Google alerts is very helpful for this). Of course, I sometimes get a heads up from someone in marketing or product development or wherever because I’ve established a rapport with them but that doesn’t take long if you’re sincere and willing to help them out as much or more than they’re willing to help you.
It might sound too simplistic or too involved depending on your personal proclivities and professional situation, but the fact of the matter is being a security professional involves much more than just knowing when you can use a proxy instead of a firewall, or which policies are required for PCI compliance. Being a security professional is also about knowing the business.
The next installment of the “4 ACEs”, “Know the pACE”, will go into how to determine the pace and tempo of your organization in the areas of embracing change and managing projects, and how that will help you be more effective when trying to implement changes of your own.
If you’d like to discuss this in more detail feel free to contact me through the blog or at jdknape@gmail.com; or, better yet, sign on to the Security Catalyst Forums and get involved.
How to Get Four Aces and Go Home Happy (Part 1)
By Joe Knape
If you play poker or have watched a few westerns, you may realize that having four aces in your hand is a winning hand nearly all of the time. While obtaining your four aces in poker is a different story, I want to share with you how you can (legally) stack the deck in your favor at work.
Ultimately our job is to ensure that the security advice we give aligns with and supports our company’s business expectations and requirements. Most people seem to understand this on some level which leads to a lot of discussion about the need to “keep the business in mind” (go here for a recent example). However, what are typically missing from these discussions are any easily adoptable, specific next steps that can be taken. “The 4 ACEs”, consisting of this post and three more to come, are my attempt at helping you, and me, fill the gap that exists between the theory of “keeping the business in mind” and the reality of trying to protect that business.
In this installment we talk about how to “Know the spACE”. In future posts we’ll talk about:
• “Know the plACE” – How to gather a better understanding of your company’s specifics, be it finances, customer base, politics, etc.,
• “Know the pACE”, – How to determine the pace and tempo of your organization and how that will help you be effective, and
• “Know the mACE” – How to know the types of leverage you might have when trying to establish or improve security programs, process, procedures, etc.
Know the spACE – the 1st ACE
The first of the four aces, “Know the space”, is meant to remind you that you have to know the industry that your company is in. Is it in manufacturing, telecommunications, education, government, etc.?
Do you really know? If I asked you today – would you be able to quickly explain it to me in a way that I quickly understood? If not, how could you possibly know what kind of threats might exist?
If you’re not sure what industry your company is in, or where to go to find more information, some quick things you can do are:
• “Google” for your company’s name,
• Read any business articles that might have been written about your company,
• Read any press releases your company might have made,
• Look around to see what kind of trade magazines are being read by your coworkers and what kinds of trade shows are being attended
• Read any non-security related magazines that might be lying around the office. Vogue and GQ don’t count (unless your company’s in grooming or fashion of course).
Speaking of “Googling” for your company’s name (or Dogpile, or Yahoo, or
• Has your company made any big announcements recently?
• Are there any current legal problems involving your industry in general or your company in particular?
• Are there a large number of public customer complaints or anti-company websites out there?
• Is your company the industry leader or have a new and innovative solution that could be disruptive to the status quo?
I think you get the picture. The point here is you never know what’s going to make your systems a target and the better you know the industry in which your company operates, the better chance you have of addressing the right security issues before they become security failures.
To find your success:
1. Figure out what industry or industries your company operates in.
2. Read newspapers and magazines that are relevant to your industry and company and not just related to security.
3. Keep an eye on industry-specific blogs, newspaper stories, press releases etc.
You see, most of the time, vulnerabilities are the same across not only systems but industries. A buffer overflow is the same anywhere the vulnerable software is the same. The threats, and therefore the risks, however, can be very different. Ultimately, the only way to know HOW to protect something is to know WHAT you’re trying to protect. Got it? Good.
So there you have it, no dealing from the bottom, nothing up your sleeve, just straightforward, easy steps toward getting your first ACE. There are only four in the whole deck, and when you can get them out of the deck and into your hand, your chances of winning the game are all but assured. This series of posts are meant to help you do exactly that. Stay tuned.
If you’d like to discuss this in more detail feel free to contact me through the blog or at jdknape@gmail.com; or, better yet, sign on to the Security Catalyst Forums and ask around.
A Diamond in the Rough of Security Predictions
By Joe Knape
Prediction is very difficult, especially of the future.
- Niels Bohr
Apparently, drinking too much eggnog and watching a giant ball made of lights drop from the sky gets people in the in the mood to make predictions for the future. Speaking of which, where’s my flying car?!?
When it comes to security predictions, most of them are redundant, asinine, or just plain wrong in my opinion. But with so many vendors, media commentators, and wonks out there, you’re bound to come up with a diamond or two if you dig around long enough. One such diamond this year for me was Anton Chuvakin’s predictions, which you can find over at http://www.oreillynet.com/sysadmin/blog/2007/01/my_security_predictions_for_20_2.html.
Now, even if Anton Chuvakin’s predictions didn’t come out until January 14th, his article is still one of the few worth reading. We just won’t give him credit for anything that occurred in the first few weeks of January!
If you don’t see a prediction listed below it is because I agree with it and didn’t feel the need to jump on the “me too” wagon. However, others in the list definitely deserve some additional commentary.
IV. Anton is frustrated at the numerous and sometimes contradictory ways that exist to rate and measure risk.
No standard emerging can be both bad and good. The “bad” means that enterprises will continue to use programs with little or no aid forthcoming from “industry best practices”. The “good” means that security professionals who are willing, will be able to continue taking the best information available and develop programs that best represent the concerns and careabouts of their specific organizations without worrying about fitting square pegs into round holes.
V. According to Anton, 2007 will not be the “Year of NAC” mostly due to the fact that it means so many different things to different people.
There’s a difference between a well-run network and a well-implemented one (not well-architected or designed). Operations groups all over the world are running the networks they are given to the best of their ability. Most of the groups that I have personal experience with are doing a phenomenal job considering what they have to work with.
They deserve better and it is up to us as security professionals to work with the designers, architects, and implementers to make sure that the networks that are being handed over are put together with security in mind in the first place. Easier said than done I know, but if we don’t make the effort we don’t make progress.
VIII. There is a question in Anton’s mind about how voluntary compliance frameworks such as ISO17799 or ITIL will fare in 2007.
These standards will continue to be touted by consultancies and even some internal compliance/audit groups. Enterprise wide implementation will hold steady or decline due to all the effort and money that will have to be put into MANDATORY compliance. It’s still all about prioritization and use of limited resources. It’s our job to make sure that we are prioritizing on the things that are right for our companies, even if that means being nice to the auditors.
IX. Apparently security awareness is a topic of great amusement, (dare I say derision?) for Anton.
This reaction is unfortunate but all too common. We here at The Security Catalyst and ultimately you the reader can change this for the better in 2007. Let’s prove Anton wrong on this one.
X. And finally, Mr. Chuvakin apparently made some predictions for 2006 (I’ll assume they were made around late 2005 but you never know with these PhD types!) which he thinks are still appropriate, such as client and application based attacks outpacing server and platform based ones.
I agree. At the same time, I couldn’t let you, dear reader, go without giving you something to help you justify the time you spent reading this far. I want you to ask yourself whether or not your organization’s 2007 security projects are focusing on the REAL risks to YOUR organization or are they still trying to address the theoretical “threat of the month”. You know the one; it gets printed up on every infosec magazine cover and written up in every online security article that month (almost as if they copy each other’s editorial calendars).
If you, your security organization, or your upper management, are still not looking at risks, threats, and mitigations from a company specific perspective, stay tuned to this space because the next few posts will highlight some steps you can take to begin “changing the way people think” (and possibly even yourself) about applying security principles while keeping your particular company in mind.
Are there any security predictions you’ve read that are particularly interesting or disconcerting to you? Leave a comment or send me an email to jdknape@gmail.com. Please keep in mind that I reserve the right to publicly post and respond to anything I get unless I’m explicitly asked to refrain from doing so, but don’t worry I will change any and all names to protect the innocent…and the guilty. Thanks for reading and I look forward to hearing from you.
Security Friday Fast Fact: Three Pillars of Being a Responsible Corporate Citizen
By Joe Knape
Performing your duties as a security professional with the following “code of conduct” in mind is quite possibly the best thing you could do for your company this year.
1. Learn to use what you already have as efficiently and effectively as possible before asking for more.
* Are you using your current people, processes, and technologies to their fullest?
* Are there any people in your organization with untapped or unrecognized potential?
* Are there processes or procedures on the books that aren’t being used?
* Are there policies or standards that aren’t being enforced or are in fact unenforceable or even damaging to the enterprise?
Find those diamonds in the rough, those nuggets of wealth. Use what you have as efficiently and effectively as possible before asking your company to pay for more.
2. Sometimes the best thing to do is to do nothing at all.
If you’ve decided that you ARE using everything you have and it’s time for something new, then before writing that policy or deploying that new device or putting forth that recommendation ask yourself, is it truly necessary? Is it possible the problem isn’t as serious as you might think or the risk isn’t quite as high as first thought?
Try to NOT make changes. Sometimes the problem does just go away by itself.
3. First, do no harm.
If you’ve decided you’re people, processes, and technologies are being used to their fullest and that something absolutely has to change then ask yourself, how can I architect, design, deploy, implement, etc. this “new thing” in such a way that it causes the least amount of change or trauma to the enterprise as a whole?
Minimize the amount of change you are responsible for in your enterprise, especially at any one time. When things have to change then make the changes gradually, over time, and always with the rest of the enterprise’s systems at the forefront of your thoughts.
It Was the Best of Times, It Was the Worst of Times
By Joe Knape
Larry Seltzer’s article “The New Attack Pattern” states that “things are getting better for the average user over time.” At the same time, several other authors state in a fairly lucid manner that users didn’t feel a whole lot more secure in 2006.
To make matters seemingly worse, according to most would-be fortune tellers, 2007 will see an increase in the number of application based 0-days, attacks on mobile phones will become more common, and incidents of identity theft and data loss will increase.
So which is it? Are we more secure and just don’t know it? Are we not more secure but living in ignorant bliss? Or are we on the edge of a digital precipice?
As Mike Rothman alludes to in his December 13, 2006 post, “Narrow and Targeted in 2007”, the answer is: D, all of the above. Of course, the real crux of the matter is how ‘we’ is defined.
Now, if “we” means the typical user in a typical large company then the answer is…yes — things are getting better from the perspective of the negative impact of “security” incidents such as virus outbreaks, DoS attacks, etc. People, processes, and technologies are all maturing and adapting to confront these issues (it may not be pretty if you’re behind the curtain but that’s another post).
If “we” means the typical user in a typical small-business or single employee company then the answer is…maybe. While the threats to SMBs (small and medium sized businesses) aren’t that much different from those faced by larger enterprises, the people, processes, and technologies are just now being revamped to address the specific careabouts and issues that are specific to SMBs and will continue to mature throughout 2007.
Finally, if “we” means the typical home user then the answer is…no, things aren’t getting better, in fact they’re probably going to get worse before they get better. Home users are more and more the target rich environment of choice for nefarious groups and individuals. The average home user doesn’t have (or isn’t willing or able to allocate) the resources (be it the time, skills, or even the desire) to protect themselves from these new levels of attack.
So what is the bottom line?
The risk may be to our businesses but the threats are not.
The threats we face and need to prepare ourselves to address are not business, or for that matter, technology based. The threats are targeted at users. If you step back, it’s clear that those home users, when it comes right down to it, are the same people that are users in the business environment. They are the employees, the managers, the salespeople, the presidents, and the owners.
Our methods, tools, and techniques have to span boundaries. We have to stop focusing on “this threat”, or “that application”, or “those users”. We have to crawl out of the gopher hole and broaden our vision, not narrow our focus.
As we wrap up another year of learning, improving and adapting, here are three things to think about for 2007, to help combat the growing and shifting nature of our threats:
1. If you could tell every one of your peers, coworkers, bosses, etc. one thing that you believe would make them smarter users, and therefore more secure online citizens, what would it be?
2. If you could make the security technology industry aware of one opportunity that you think they are missing the boat on, what would it be?
3. Are you telling them? If not, why not?
What We Have Here Is…A Failure To Communicate
By Joe Knape
A few weeks ago I posted about helping users pick longer, easier to remember passwords. RonW, in the comments, wondered about the best way to get users to “do the right thing”. This post is my take on how that can be done.
I’m not up on the latest Security Awareness techniques but it appears that they typically fall into one of two forms:
1. Mandating: meaning that some group of managers or other executive leadership demands that things be done (or not done) in a certain way, or else.
2. Marketing: meaning that a group, either internal or external, develops a security awareness campaign that can run the gamut from simple to complex and include everything from posters and emails, to screensavers and mouse pads, to security road shows. Everything is slick, colorful and pithy.
Security Awareness has become big business for some companies and corporations are spending big money to try and get their users to “do the right thing”. Unfortunately, based on the latest in a long line of polls and report findings, neither of the two approaches described above appears to be very effective. User action, both intentional and unintentional, continues to be one of the leading factors of security concerns for companies of all sizes.
I’m not saying that Mandating and Marketing don’t have their place. In fact, Mandating can sometimes protect an organization from certain types of legal action.
What I am saying is that there just might be a better way.
What I describe below leverages some of the insights of social epidemics that Malcolm Gladwell describes in his book “The Tipping Point”. Essentially, social epidemics occur when a small group of select individuals with specific characteristics make them happen, either intentionally or accidentally. He calls this “The Law of The Few”. Gladwell identifies three distinct personality traits that he feels are essential to the success of a social epidemic: Connectors, Mavens, and Salesmen.
Connectors are those people who, in Gladwell’s words, have a “truly extraordinary knack of making friends and acquaintances”. For our purposes these are the people who seem to know everyone in the organization. When we need to establish communications outside of “official channels”, we ask this person to make the invitations.
Mavens are defined by Gladwell as someone who has helpful information and is not only willing but wants to tell others about it. Guess what, you and your security organization are, or need to become, the mavens. You have the helpful information and now you must be willing to share it with others.
Salesmen are the persuaders. These are the individuals who have the ability to convince people to do things even when those people might be skeptical of results.
We have to become Mavens of what the right thing is. We have to communicate those things to the Salesmen in our organizations and get those Salesmen in touch with the Connectors. Only then can we have any hope of making fundamental changes in the behavior of our users.
I’m not saying that this will be quick or easy. In fact, it is likely to take much longer than any of us wish.
What’s interesting about this technique is that it can happen in conjunction with other security awareness programs or efforts that might be underway in your organization (as long as you’re not recommending different things of course).
Word of mouth can be a powerful force and if the right mouths say the right words to the right people it can change the world, or at least the organization.
Engage with Michael
-
Journey Into the Breach
