Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows

Considering the meaning, purpose and expression of security awareness is a personal and professional pursuit. In fact, it’s my sole focus and the reason I created the security  Awareness that Works™ system.

As a result, I regularly discuss successful security awareness programs, and I start most discussions with a simple question, “what does it mean to be aware?”

The range of answers – from blank stares and silence on the phone to lengthy lectures – have little to do with awareness. In fact, I had one executive suggest to me that trying to define awareness was akin to US Supreme Court Justice Potter Stewart attempting to define pornography when he wrote, “… I know it when I see it…”

I disagree.

And here is the challenge: without a clear understanding and functional definition of security awareness, it is impossible to obtain (for ourselves, let alone to influence the awareness of others). Worse, this means there is no vision, guidance or purpose to awareness that is easily understood; awareness becomes a burden to fund instead of an opportunity to invest.

Good news – it doesn’t have to be this way.

If the goal is to shape the culture and increase “awareness,” it is essential to understand what awareness is, what it can do, and how to recognize when people are, in fact, aware.

How do others define awareness?

Awareness is not a new concept. Here are three definitions that share common threads, easily applied to the challenge of generating awareness with regards to security and risk:

• Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
• Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
• Marketing is keen on awareness: a measure of respondents’ knowledge of an object or an idea. There are two main measures of awareness: spontaneous (or unaided) and prompted (or aided) awareness.

The common threads with these and other definitions are a sense of individual, recognition of actions and a measurable component related to some sort of message. Also consistent is the notion that awareness can be spontaneous and internal, or external to the person and aided.

These definitions prove a good starting point for considering what it means to be aware. But we also have to consider the underlying challenge individuals and organizations must solve: the human paradox (for more see: Why people are not the problem…).

How The Human Paradox impacts Awareness

When it comes to managing risk, information and the relationships with people, the real challenge is The Human Paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

The human paradox has an interesting impact on awareness: the more disconnected people are from the consequences, the more complicated – and costly – the effort to reconnect them.

This is why traditional “security awareness training” falls short: failure to address the human paradox. In some cases, these programs may actually increase the gap between individuals and consequences, creating more risk, increasing complexity and wasting money.

Security Awareness, Defined

For awareness efforts to be successful, we have to start with a clear definition. After considering awareness and the impact of the human paradox, I propose a short, clean and simple definition for awareness:

Awareness: an individual’s realization of the consequences of his or her actions (or decision).

When Awareness that Worksâ„¢ is obtained, the definition is enhanced by the ability to assess the impact of the consequences. Soon I will explain why we absolutely must reconsider consequences.

This definition of awareness actually shifts the purpose of the program. By improving the vision of awareness (we have more work to do there), the potential for training and other resources to provide measureable return is clearer.

Of course, there is more to consider: how to define the program, generate awareness, measure what matters and communicate what counts. But sometimes the simple shift of a definition and proper use of a concept is the spark that brings change.

So what does awareness mean to you?

Do not put your faith in what statistics say until you have carefully considered what they do not say.  ~William W. Watt

Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.

Well, they aren’t. Except, of course, they are.

When I wrote Into the Breach, I realized early in the process that “breach” (no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.

The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

If people aren’t the problem, what is?

When introducing the concept of the human paradox in the book, I suggested we face a people problem. Upon further research and considerations, I would write that section differently: we face a human paradox where people are not the problem.

Consider this: “people have been unintentionally and systematically disconnected”

This raises the question, “who disconnected people from the consequences of their actions?”

Short answer: we did. But it wasn’t intentional.

I liken the current experience described by practitioners as  “security pain” to what new parents learn as “short term gain, long term pain” – or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.

The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.

When users rightly questioned changes, the path of “short term gain” was to suggest they wouldn’t understand and take the decision – and resulting consequences – out of their hands.

But it’s okay.

It’s part of human nature.

This means that instead of blaming “users” generically for not knowing and not being good enough, we should first look in the mirror. We played a role in making the situation we lament.

So we recognize it and move on.

The question is what comes next. And that’s where I have focused my passion, blended with my experience and skill as a human ecologist, in security and in the tradecraft of effective communication.

The Path Forward

The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.

So – tell them the consequences and we’re all set, right?

Well, it’s not that easy.

We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

We need more deliberate dialogue: conversation with a purpose that “meets people where they are” and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

We have a lot of work to do. I’m here to contribute and lead the change we need.

The moment we judge someone, we forfeit the ability to help.

Seems like a lot of what is being promulgated in so-called “security awareness” today is nothing short of berating people with a list of the things they shouldn’t do, coupled with a non-intuitive list of what they should do.

I read a lot of suggestions to “call people out” and “catch them doing the wrong thing.” For obvious reasons, I’m not going to link to any of these articles, columns and blog posts. My experience and success in changing behaviors suggest a different approach is more effective.

Why the need to embarrass others?

The reason so many focus on lecturing and berating stems from the misguided belief that we know better, know more than other people and will grace them with our wisdom.

Memo

From: the users

To: the security people

RE: get over yourself

Businesses existed without you before, and while perhaps not in the future, we can do better. So can you. Start sharing with us and stop trying to embarrass us and make us feel stupid. Teach us what you know – but in our words – and we will work alongside you.

My practice delivers “Awareness that Works™” – where awareness serves as the catalyst for effective training. I enjoy several conversations a day – and welcome more – on the topics of awareness, training and the broader issues of rethinking how it all works in the organization to go beyond “security awareness” by building a system that cultivates a culture of optimization.

Awareness is generated, not prescribed

In the process of sharing Awareness that Works™, I recently sent a note to a person I met while keynoting a conference. Our dinner discussion suggested to me that he “got it;” that he understood the purpose of awareness and the vital role it played in the organization.

But his reply to my note blew me away: he had no interest in discussing awareness because he simply told people what awareness was, told them what to do and told them how to do it. He saw no need for awareness or training, and no desire to discuss it.

Wow.

How would you like to be the user in that session? Actually, how would you like to be a security practitioner in that organization?

Either way, I suspect the point is lost on that chap and those he is supposed to serve. And that’s too bad for everyone.

In my consulting practice, I ask people about their experiences and what they expect. Turns out people are pretty clever: they do brilliant things; they know they need to change (and are willing to) and have reasonable expectations of you and the organization.

So why the disconnect?

A misguided belief that we know more, are smarter and that users are unable to get it right contributes to the disconnection and failure of “traditional security awareness.”

I’ve read where others suggest inane things like “there is no patch for stupid” and that we need to inflict pain on people in order for them to understand. And then I watch other security practitioners applaud and cheer. Step back and watch it through another lens and perhaps you’ll be as appalled as you should be.

We don’t know better, we just have a difference experience.

In the course of practicing “security,” we literally spend hours a day steeped in risk, understanding actions and trying to successfully solve problems.

But we also make mistakes. Lots of them.

Ever over-hardened a machine (to the point where it is a brick), blown a patch and screwed up configurations, backups and the like?

Spend a night in a data center correcting your own mistakes and things start to look different. As a result, we have cultivated a different language, experience base and set of expectations.

We may have started on a more equal footing in terms of experience, but the nature of our profession changes us. Sometimes, however, that change is a bit harder to see, and even more challenging to consider in context.

But we have hope.

The people we serve are willing to make a change, if and when needed. But they want to be made aware of the consequences of their actions in their words, in their experience and on their turf.

No one likes to be embarrassed or talked down to – and that has to stop. Now!

In the end, we’re all the same. We have an opportunity to all work together. We need to reconsider what awareness means, consider the perspective of our users and work to share and educate, but not embarrass.

Stick with me and I’ll show you how.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

As the son of a son of a sailor

I went out on the sea for adventure

Expanding the view of the captain and crew

Like a man just released from indenture

As a dreamer of dreams and a travelin’ man

I have chalked up many a mile

Read dozens of books about heroes and crooks

And I learned much from both of their styles

–Jimmy Buffet, Son of a Son of a Sailor

With Jimmy Buffet playing on the radio, we set “sail” in January in our forty-foot diesel pusher RV. With the roads as our sea, we set out for adventure, and more: we set out to change our lifestyle.

My family stopped collecting things and starting collecting experiences. And we are liberated.

The process of leaving the house included going through nearly every single thing we “owned.” It was an exhausting process filled with memories, discussions and the sober realization that it is easy to collect things. While we found some great purchases and reminded ourselves of great times over the last decade, we also realized we had unwittingly accumulated a lot of stuff.

The process of simplifying our possessions was powerful. As we fired up the diesel and headed south in search of warmer weather, we resolved to do thee things:

1. Simplify our lifestyle and schooling (road school is for all of us, not just the kids)
2. Streamline our fitness and nutrition
3. Simplify our business

In the short few months we have been “on the road,” we have managed to make great progress on all three goals. Pursuit of these may be a constant journey that evolves over time, but we live each day to the fullest and cherish the time we have with each other and those we meet on our journey.

Streamlining our lives, nutrition and fitness have obvious benefits. For me, the real breakthrough came on the business front.

It started in December, before we left, while speaking with a friend. After listening to my goals, he left me with these words from Bruce Lee:

“I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times.”

Sometimes the right words shared at the right time make the difference. For me, this was instantly profound, powerful and put my quest into context. I had run a successful business practicing a lot of kicks. It was time to mature and find what my “one kick.”

After a few weeks of active thinking, writing/journaling and speaking with friends (including clients), it the path that blended professional speaking, writing, training, information security, adult learning and my background in Human Ecology came into focus. A few more conversations and it became as clear to me as it had been to others: I needed to focus on awareness.

It is no secret I am disappointed with the industry efforts at “security awareness training.” More often than not, the traditional attempts waste money and even increase risk! I refused to simply do what everyone else was doing.

My “one kick” is Awareness that Worksâ„¢

So I took more time to consider my entire experience and the elements that worked. I am excited to share the result: Awareness that Worksâ„¢

Awareness that Worksâ„¢ connects people to the consequences of their actions, creating a shift in thinking that inspires behavior change. Individuals achieve understanding in their own context, and then are guided, shaped, and supported with materials and training tailored to them.

To be effective, awareness needs to be separated from training. This provides some concrete benefits and sets the stage for the right messaging, training and support to not only influence behaviors, but to provide needed insights and information to the organization.

I want to work with people who have a mandate for awareness and are ready to work with me to move the cost of working with people to an investment. The approach I created to guide organizations – tailored to the unique aspects of each – works so well that it pays for itself. In fact, I guarantee it.

This is my focus. 100% of my time, energy, effort, and research go into how we work together. And with this focus, I plan to write and share more.

I’m excited about the initial results – and the conversations about awareness I share every day.

Consider yourself invited!

If you are focused on addressing awareness (and the subsequent training), I want to speak with you. No strings, no selling. Just discussing.

And our journey continues.

The current plan (which is always subject to change) is to spend a few more weeks in Myrtle Beach, South Carolina. We’re enjoying the beach, finishing up repairs to the RV, and focusing on the launch of Awareness that Works™.

Soon, we head back on the roads for adventure. No doubt we’ll “chalk up many a mile” – blending with reading, writing, sharing and learning. The campfires will be many and the conversations plenty.

Life is good.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

Let’s be direct:  we have a huge personal stake in the push toward cloud computing. Do companies that move to the cloud still need security professionals?

The answer is clear: yes — and even more than ever.

We are at the beginning of a huge paradigm shift in the middle of a deep recession. This perfect storm will drive the cloud to emerge as an architectural option that has clear economic and productivity impacts that will appeal to most IT shops. The decision to use “the cloud” will be one based upon two opposing forces: “do more with less” versus “risk management.”

However, this shift – whose success heavily relies upon abstracting the cost/complexity of underlying infrastructure — demands security professionals “up their game” to reflect that we are in a brave new world.

The stakes are high.

Let’s reflect on a recent headline:  a zero-day vulnerability exploited by a government to access private communications hosted by a major “cloud” provider.

This incident was front-page news – and the rationale for Google to threaten to cease business operations within the borders of China. Coverage and commentary of this incident extended beyond the usual IT publications to the US Security of State.

This is a big deal (and great movie plot).

But is it true?

Sometimes fact is stranger than fiction. In this case, it is likely some aspects are true and others false. Either way, it begs the question: what will the headlines read just a few years from now?

There are two ways security professionals must up their game:

First, security pros need to learn how to operate effectively in the context of business decisions.

Ten years ago, security focused on knocking ports, following exploits, and using flaws in network/core configurations to breach a system. Then the volume of exploits became overwelming, the OS/network became more resiliant, and the auditors moved in. This signaled a shift to checklists and conceptual assessments. The tao of scanning became commodity, and productized through services such as Qualys. IDS configuration became stale (well, also due to protocol complexity and encryption), and we all became unconvinced in the security associated with layer 3 and 4 firewall ACLs and IPS systems.

We’ve already seen a piece of this evolution as “risk management” has dominated security-focused job descriptions.

Security pros are applying “low level” security accumen to drive operational situational awareness and risk-based architectual decisions:

• What security controls does the provider place on data storage?
• Are they strong enough as the sole protection mechanism, or should we encrypt and build the added complexity into our application?
• What happens if the provider reports a breach?
• What is the impact and how will we cohesively respond?
• What do we expect from the provider?
• What does the provider commit to?
• Does the cost balance the consequence and likelihood of an incident?

Second, from a technology perspective, security professionals must build acumen to topics that sit higher in the stack.

Twelve years ago, we were implementing firewalls to defend against the “ping of death” and “smurf attacks”. Since then, the focus has steadily moved away from layers 2/3/4 and into layers 5/6/7 and out of the “stack” to focus on the user and business).

Cloud-based resources further increase the emphasis on applications, users and business. More than privacy and compliance, this means security professionals will need the skills and abilities to focus on these essential aspects and specific challenges like:

• Application Role Based Access Control (with Federation Technologies)
• Security of API interfaces that faciliate programatic access to an instance of a cloud-based service
• Incident Qualification/Response via “cloud” forensics
• Logical Data Encryption within “cloud” based storage
• Security of code that is developed and deployed to IaaS (Amazon/GoGrid) and PaaS (Microsoft Azure) providers
• Configuration and verification of virtual machines (within the IaaS Scenario)
• Defense against Economic Denial of Service Attacks
• Bridging the policies and metrics that the cloud provider exposes to the requirements of the business

For many, these topics are not as easy to master as TCP/IP and SMTP. Complicating the task, many of these concepts differ between providers, mesh together complex application-drive technologies, and change quickly. It’s also unclear how far we can venture into each (since many are based on what and how the provider exposes, and the complex nature of the protocols).

To make the right decisions, businesses must rely on practiced security professionals who are qualified and capable of voicing the appropriate concerns to the business. Without question, this requires greater focus on risk management by explaining complex topics that will drive a risk-managed embrace of cloud computing.

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com). His expertise and education is in incident response, computer forensics, and security architecture.

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Dennis Kuntz

“You rush a miracle man, you get rotten miracles.” – Miracle Max, from The Princess Bride

When building Security from Scratch, the challenge is in undertanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. This is not an “assessment” in a formal sense, but is more involved than simply checking for a firewall and antivirus.

Each situation is unique, but here are the areas I consider in my tactical review so I can understand what challenges lie ahead and form my plan of action:

• Information Security Policy
• Network/Perimeter Security Posture
• SDLC Security Policies/Procedures/Practices
• Applicable Compliance Requirements
• Security Awareness

I’ll share my approach and thinking below – but want to hear from you, too. Are there other areas you would include, avoid or otherwise consider? Leave a comment or send an email and we’ll expand together.

Information Security Policy

This is an area open to debate, but I like to check for and review the existing security policies. It provides insight into what, if anything, has been done. It generally provides clues, too, to why decisions were made.

I’ve found two major approaches to Information Security Policies:

(a)  a monolithic approach where the policy encompasses all areas with details

(b)  a piecemeal approach where you have a very general document that references more detailed documents.

If I get to choose, I prefer the piecemeal approach. It allows employees to get an overview of the policy and all of the areas covered, without overwhelming them with too much all at once with one huge document they’ll never read.

With the “piecemeal” approach, the details can be spelled out in the referenced documents that are easier to draft, update, and distribute.

Understanding the current approach and structure helps form a picture of the current environment. Here are some questions to ask when considering the existing Information Security Policy:

• Does a policy exist?
• Who wrote it, is it strictly boilerplate, and/or has it been reviewed by stakeholders and approved by management?
• Are the policies being followed?
• How are changes made/approved?
• Who currently maintains the policy?

Network/Perimeter Security Posture

Now, while I suggested just checking for firewalls and antivirus aren’t enough, it doesn’t mean they should be skipped. It’s too easy to limit one’s assessment of security posture to just those kinds of elements. With that said though, this is definitely something that should be included.

In addition to getting a good idea of the network architecture (diagrams, etc.), here are some questions to ask regarding the network and perimeter security posture:

• Is remote access allowed? If so, how – VPN, SSH, nothing?
• Are firewalls , WAF’s (Web Application Firewalls), and/or IDS/IPS’s employed? Where? Who manages/maintains them and their rule sets?
• Does your company have/maintain a DMZ?
• Is wireless access allowed from your premises (including both network access as well as “open” wifi)?
• Does your company have any resources/assets in “the cloud”?
• If in “the cloud”, what control does your company have over the security of resources, vs. those that are simply “built in” to the services offered?

This is obviously not a comprehensive list (if you think I missed something key, drop a comment).

The main focus is to get a tactical understanding of the network and potential points of exposure. While tactical, this allows the identification of strengths and weaknesses in the current layout to form the path to advance the posture.

Once the tactical review is done, it is important to run internal and external assessments to test the baseline performance of the existing controls. Ideally, this should include both comprehensive vulnerability assessments as well as comprehensive penetration testing. This can be easily handled in-house if budget is a challenge.

SDLC Security Policies/Procedures/Practices

It should be obvious that companies that conduct business on the “Internet” , develop software, or has any measure of internal development, that SDLC (System Development Lifecycle) practices are important as they relate to security.

However, this also matters to companies with only a web site that was created externally and is hosted/maintained by a third party ASP (Application Service Provider), with no internal development. When getting the lay of the land, take a look at the accepted development practices to make sure they take appropriate security measures into account.

Here are some questions to can ask :

• Who “owns” the SDLC?
• Is security specifically addressed in any SDLC documentation, especially regarding applicable best practices (i.e. OWASP Top 10 for web application development, buffer overflows for vulnerable languages, etc.)?
• Is there any formal secure development training available for developers?
• If third parties/outsourcing is used for development, are security practices published and/or open for review?
• What is the current state of security awareness among the developers, architects, etc. (this can be assessed by one-on-one interviews with developers, architects and managers)?

As with the Network/Perimeter Security Posture section, being able run assessments and have penetration testing done will go a long way toward establishing the effectiveness of current controls.

Applicable Compliance Requirements

If the company is subject to any compliance requirements, it is vital to establish the current state of compliance. I will be covering this topic in more detail in a later post, but here are some questions you should ask:

• Is the company subject to government compliance (SOX, HIPAA, etc.)?
• Is the company subject to non-governmental compliance, such as PCI-DSS?
• Does the company need to remediate any recognized compliance violations and/or is there a deadline for any existing compliance efforts?
• Regarding existing compliance efforts, where/how far in the process is your company?
• Who or what department oversees any given compliance effort?

As noted in the first installment of this series, establishing relationships with other departments –especially regarding compliance – can go a long way toward achieving your company’s compliance goals.

Security Awareness

While “Security Awareness” can mean different – and specific – things to different people, I’m referring to it here in more general terms. In essence, you need to take a look at your company’s current behavioral and cultural stance and openness toward information security. Here are some questions you should ask:

• How much support will you have from stakeholders? From management? From everyone else?
• Related to the previous question, how much latitude will you have in making decisions – will you get to run the show, or will you end up having to be an order-taker?
• Is your position the culmination of a concerted effort to “become more secure”, or is it the result of a begrudging attitude to achieve a bare minimum? The answer to this one may take some effort to answer honestly….

Turning Your Eyes Toward Defining – and Achieving – Success

Once you have all of this in place – your team and a good idea of where you are – you can begin to understand what is needed to define “success” and the metrics needed to quantify that success.

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Joe Knape

There are a lot of opinions about security awareness programs, what they should look like, what they should cover, whether they work at all, etc. Recently you’ve even read a few posts on the Security Catalyst blog about awareness training. In addition, there has been a lot of “research” and pontificating about why security awareness messages seem to consistently fail in their desired mission and what changes can be made. This research typically focuses on the psychology of the end user and how to craft the message for specific audiences to make it more effective. With all due respect to my fellow Catalyst contributors and to all the awareness “expert” out there, I think they miss the point. The point of security awareness programs is not to see how cool, hip, or clever the message and the delivery method can be but to change the way people think and act about information, both their own and others when applicable. The point is to get people to want to protect that information from prying eyes or accidental disclosure. What I recommend is that instead of looking deeper into the psychology of the user, or trying to find the next viral communications technique, security awareness program developers should look at methods and messages from other areas where communication to a vast number of different people has been necessary and where those messages have been effective over time.

For example, how many of the following messages or sayings do you remember and act on whether you know it or not:

Click it, or ticket; Buckle up for safety; Don’t mess with Texas; Only you can prevent wildfires; Don’t talk to strangers; Look both ways before crossing the street; Friends don’t let friends drink and drive; Loose lips sink ships; Do not leave your bags unattended.

You get the idea. So, what do all of these messages have in common? They’re all S.M.A.R.T messages. What does S.M.A.R.T mean?

S stands for Simple, bordering on the simplistic; the message should not be long, or difficult to understand. It should be crafted in such a way that the mind can register and retain it with very little effort.

M stands for Meaningful; Similar to Actionable below, messages without context are ineffective at best. A meaningful message is one that communicates information that is both useful for the security posture of the company AND for the target audience Take “Only you can prevent wildfires” for instance; the point of this message isn’t only to protect the forests and parks but also to protect the individuals and families in those forests and parks.

A stands for Actionable; the message should have some element of what to do or not, something that the audience can latch on to and start performing immediately; Do lock your computer when you are away from your desk; Don’t let other people enter behind you without a badge.

R stands for Repetitive; No matter how well crafted your message, or how much time and effort you might have put into it, sharing it once a year is not going to be enough. S.M.A.R.T messages are crafted in such a way that they can be delivered over and over again using different venues and methods (e.g. posters, email signatures, phone messages, etc.) without overwhelming the audience.

T stands for Targeted. I said in a previous paragraph that modifying a message to take the psychology of your intended audience into account misses the point. However, targeting the audience based on delivery method is something that works. Some people pay attention to posters, others to emails, and others to phone calls. Targeting specific users with specific messages doesn’t make sense, it’s costly and redundant, but targeting specific users with the WAY the message is communicated, that makes sense and is relatively straightforward to do. Basically you craft the S.M.A.R.T message and communicate it in as many different ways to all of your target audience as you can. Not only does this make sure that the message is transmitted multiple times, but it covers the range of how people learn since they will be seeing it (posters), reading it (emails) and hearing it (telephone, loudspeaker, audio email, etc.).

So there you have it. Keeping your security awareness messages S.M.A.R.T. should make your training and awareness group more effective and more efficient and keep your audience from saying they wanted to follow the program but that the program “missed it by that much.”

If you that follow on me on twitter (twitter.com/iamthedavil), you may be aware that my Information Security (InfoSec) group is in a bit of a project holding pattern for the foreseeable future due to too many projects and not enough people or funds. Like many companies, we are being asked to “do more with less.” While this is an admirable goal, my personal objective is to be more effective with less, reducing the confusion between motion and progress.

One of my main concerns is the number of security-related emails our InfoSec area is sending out. Since there’s the common concern that frequent communications will be viewed as noise, I’ve been trying to figure out a way to increase the effectiveness and memorability of our alerts.

One of my first ideas was to “adopt and adapt” a color-code system for types of hospital-loudspeaker alerts similar to what the hospital currently uses:

•       Bomb Threat – Code Black
•       Fire – Code Red
•       Missing Child – Code Adam

And so on.

Introduction to these codes begins on the first day of employment during new hire orientation. Additionally all staff, including non-medical personnel, must complete yearly CBTs that review the various colors and their meanings. Furthermore, these codes are printed on cards employees carry with them at all times, so they’re repeatedly emphasized to all hospital employees. I suppose you could even say these codes are imprinted on our DNA…

(I’ll pause for groans and laughter here.)

My idea was to adopt the current announcement method, designed to quickly initiate a response during an emergency, and adapt it for InfoSec purposes. With that goal in mind, I came up with the following potential list based upon the top communications I see the InfoSec team generating:

•       Malware/Virus Outbreak  – Code Red
•       Patch Required – Code Blue
•       Disaster Recovery Engaged -Code Yellow

Instead of targeting medical personnel with the communications, Information Systems (IS) staff would be the primary recipients, as they are typically the initial audience for many of the situations mentioned above. By using a “color codes” approach to draw attention to the InfoSec announcements, IS staff will know when to respond to alerts we. Desktop Support would know increased workload may be coming during a Code Red, Server Administrators are informed of a patch through a Code Blue, and all of IS is quickly aware when a Disaster Recovery effort has begun.

Usage would be similar to the following in an email subject:

- Bogus Webmail address

•       InfoSec Code Blue – Emergency Patch Required
•       InfoSec Code Yellow – No Power at Southwest Site

A slightly different way of using the system was suggested by Michael Santarcangelo, for an environment when response-time is critical.  With his approach, the codes indicate less about the threat, and more about the timeframe with which people need to act:

•       Code Red – Immediate (Within 24 Hours)
•       Code Yellow – Urgent (Within 48 Hours)
•       Code Green – Soon (72 Hours)
•       Code Blue – Informational (No Action Taken)
•       Code Gray – Personal (Do This At Home)

While the adopt-and-adapt concept seems simple, I do have a confession to make. In my zeal, I made the error of using the same colors as the hospital alerts.  Marketing and upper management quickly informed me that the InfoSec Event colors needed to be different than those used by the hospital to minimize confusion and panic.  Keep this in mind in your environment.

This is an opportunity for us to work together. What exists in your environment that you can leverage to increase security awareness and visibility? What have you done that’s been successful? What’s failed? Let’s continue to share ideas and learn from each other, especially during these times of limited budgets and resources.

By Dennis Kuntz

When I was first asked to write a post on “Security Awareness”, I began really to think what is meant by “awareness”. The conclusion to which I came was a little frustrating: Too often folks think of awareness as an end in itself  – as if making folks aware of something is the same as doing something about it.

Now, it may seem obvious that this is not the case, but how often have we – I include myself here – just lobbed something over the wall to make folks aware of an issue? Maybe it was new risk or vulnerability – whatever – and then we washed our hands of it as if we had done our job?

This is obviously not limited to Information Security or IT folks – no particular group has the market on this practice cornered. But that being said, awareness needs to be backed up by two primary things: education, and action.

Education

When you make someone aware of a situation, issue, or risk, how often do you take your audience into consideration? Tech guys and gals are infamous for using jargon in situations where it’s just not understood by others in the room – we’re right up there with doctors and lawyers! Now, that’s not a bad crowd to hang with (well, except for the lawyers), unless of course you want to be listened to, or even better, understood.

 If Joe the BizDev Guy walks into a BlackHat conference, I have no sympathy for his confusion (let alone his compromised devices) and would consider him out of luck. However, if I’m in charge of protecting his data at our company, my job requires me to make sure that I communicate important matters to him in ways that allow him to make educated decisions. Plus it’s just the right thing to do.

Action

If I’ve made my data owners and/or boss(es) aware of some important issue, I’m not done with my job. I need to take the necessary actions to follow up on those issues right up to the degree of my authority. If I lack the necessary authority, and especially if the issue is important enough, then I need to take action to be in the faces of those who do have the authority until some resolution occurs.

 There are of course times when we cannot get the resolution we want; Far too often I would say that this is the case. But we need to make sure that we’ve done everything we can to address the issues at hand instead of just being content with their “awareness”. Follow through in our jobs is vital – people can lose jobs, or even die without it.

 Awareness is great, but not by itself. Combined with thoughtful, communicative education, and resolute action, they become a potent triumvirate.

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.

Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).

Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.

2. Most users keep a log of their “steps” per day – helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.

3. Most of us are motivated by a challenge – using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!

4. The challenge can be spread to others. Everyone likes healthy competition.

5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.

One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.