Who cares about Security Awareness? (or: why “Just Say Security” doesn’t work)

November 18, 2010

I spend a lot of time talking with people about our awareness training efforts.  And the first thing that almost every one of our clients who “gets it” tells me is the same thing:  ”We don’t want security awareness.

That’s not how they say it, but that’s what they’re ultimately saying.   What their actual words are vary quite a bit, but they’re usually along the following lines:

  • Our users are the main source of breaches within the organization.
  • If only our users would stop {insert user action here – clicking on links, writing passwords on sticky notes, leaving docs on printers, picking up USB sticks in the parking lot}
  • We just can’t get our users to do the right thing.

I never hear our clients say: “I just wish our users knew more about security stuff.”    Their fundamental complaint is always that their users DO the wrong things.

In fact, we often hear these complaints about members of the information security staff (and our social engineering engagements bear out that we can compromise even those whose job titles define them as the “security aware” parts of the organization).

This is why I often make the claim that absolutely nobody cares that their users are security aware. They care that their users behave in such a way that they don’t compromise their organizations. What we have traditionally called “security awareness training” is actually a behavior modification exercise.

When viewed that way, it’s clear why our efforts fail.  If you look at most of the traditional “security awareness” efforts (like the SANS “Securing the Human” effort that I have been so vocal about), it’s clear that it can’t possibly work.  The reason is simple: posters, screen savers, etc. come from the idea that if we just teach our users something enough times, that they’ll get it.

Unfortunately, simply saying something repeatedly isn’t enough to change behavior.  It’s what the PSA (Public Service Announcement) movement discovered in the late-80s and early-90s.  If saying “Just Say No” was enough to create a generation that didn’t want to do drugs, we’d have won the drug war in the 80s. Instead, the global drug market hums along as a $321 Billion market.

In order to change behavior, all the research says that you have to get people emotionally invested.  That’s what all the great behavior modification campaigns (i.e. marketing campaigns) have done.  And what “security awareness training” fails miserably at.

So, how do you hook emotions as part of security awareness campaigns?  You’ll have to wait for my next blog post…

Posted by mmurray | Filed Under Security Awareness 

Comments

Comments are closed.

  • Follow us on Facebook

Role-Based Training

Training from a security perspective is important. MAD Role-Based Training Programs ensure that your IT staff will be armed with the knowledge necessary for on the job productivity.
Continue reading about our Role-Based Training »

The Human Side of Security

The information security industry tends to focus on technology. This is strange when 70-80% of attacks are due to human error or misuse. Check out our human security testing progams or our Security Awareness programs to help fix your biggest holes.

Latest Blog Posts