Security Awareness For Dummies. Ira Winkler
Чтение книги онлайн.

Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 15

СКАЧАТЬ function perfectly.

      If a system exists to simplify implementation of phishing and CBT, it represents the implementation of products and not the implementation of a comprehensive awareness program. If your goal is just to implement a Check-the-Box awareness program, however, product implementation is likely all you need.

      When I worked for the NSA, it was clear that any mishandling of sensitive information could result in an employee’s termination and, potentially, prison. The NSA allowed some gimmicks and creativity as part of its security awareness efforts, but providing entertainment definitely wasn’t a priority. We employees didn’t watch comical videos. We didn’t play games where we sat around and won prizes if we guessed the amount of prison time we might earn. Violations are serious offenses and were portrayed as such.

      Entertainment has its place. Contests are useful for engagement. Humor can enhance engagement. Giveaways are fun and can provide reminders of awareness messages. But the purpose of a security awareness program is to change and improve security-related behaviors. Your efforts should focus on those efforts and formats that contribute to behavior change.

      

Though you want material that is engaging, you can walk a fine line between engaging and trivializing. Humor, when used appropriately, can enhance learning. Avoid using humor for serious subjects, however. You don’t see humorous videos regarding sexual harassment. Humor can trivialize an otherwise important concept, and you need to ensure that people understand that strong security behaviors can prevent significant loss.

      Unfortunately, I have seen many awareness efforts that lead with humor. The users like it, if it’s done well; however, it doesn’t mean that it has the desired impact, which is to change behaviors. You don’t want to bore the audience, but you do want them to take your lessons seriously and apply the information.

      

To determine whether your awareness training is effective, ask participants what they learned from it rather than whether they liked it.

      Awareness is just one tactic within an overall strategy to reduce the risk associated with user-initiated loss. If you’re in charge of your organization’s overall efforts to mitigate user-related loss, you need to consider awareness as one tool in your arsenal. If you’re responsible solely for awareness, you need to understand your place within the overall loss-reduction strategy.

      Users can fail only if the technology around them provides them with the opportunity to fail. A user can’t click on a phishing message, for example, unless all the antiphishing technologies in place failed to filter the message in the first place. Of course, technology fails significantly less often than users fail. For this reason, you need to either frame your efforts accordingly or work with the teams that provide the users with the environment.

      Here are some ways other teams can help:

       Work with the teams that provide the technical security environments to reduce the opportunities presented by the environment for users to initiate losses.

       Work with the teams that manage the technology that anticipates harmful user actions, such as data leak prevention tools, to mitigate the harm from the actions proactively.

       Work with the operations team to see how users’ actions can be better defined to avoid the initiation of losses.

      

Security awareness is just one tactic, among many, to mitigate damage caused by users. If you want to fail, portray your efforts as a strategy to deal with the entire problem.

      Applying the Science Behind Human Behavior and Risk Management

      IN THIS CHAPTER

      

Establishing common knowledge

      

Seeing what safety science does right

      

Borrowing from accounting practices

      

Knowing the ABCs of awareness

      

Applying group psychology to your awareness efforts

      

Understanding how risk management works

      When you create a security awareness program, or any awareness program, you’re attempting to influence group behavior throughout an organization. The success of your program depends on the reliability of the science and the theories you base your assumptions on.

      As I say throughout this book, perfection and universal applicability are myths of the security profession; they don’t exist. I have found, however, that the sciences described in this chapter work more consistently than other flawed but commonly held ideas, such as those that can cause the difficulties I cover in Chapter 2.

      As you see in this chapter, you gain the most benefit for your awareness efforts by consulting sciences that influence (or attempt to influence) crowd and organizational behaviors. You need to understand the sciences of how people think and behave only to the extent you need to know to do your job properly.

      The greatest criticism I seem to hear about security awareness is that it’s all common sense. It’s common sense to know not to click on certain emails. It’s common sense to know that the tax service СКАЧАТЬ