Название: Security Awareness For Dummies
Автор: Ira Winkler
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119720942
isbn:
The root of the problem is not that a user takes an unaware action but rather that the user actions create damage. Safety science looks at the process holistically.
Though someone should address safety problems in a cohesive way, awareness professionals seek only to create better implemented awareness programs. Understanding how your work as an awareness professional fits in with the overall loss reduction program is important. You can then work with the other security teams to coordinate your efforts and tailor your efforts to fit within their efforts.
Applying Accounting Practices to Security Awareness
A proper accounting program protects an organization from financial loss. Accountants study financial processes and determine where losses can occur and how to control them through processes.
In much the same way as safety scientists figure out how a person comes into the position of a potential injury and proactively tries to remove that potential, accountants try to put processes in place to proactively remove the opportunity for financial errors. This involves proactively tracking financial and tangible resources. It means that there is categorization of all resources. This is why there are so many annoying processes apparently in place in many businesses.
Likewise, a person has to endure many processes when they’re in the middle of a financial transaction, and follow detailed operational guidelines for how transactions are to be performed. For example, when I travel and have to file an expense report, I have to meet specific requirements for the level of documentation required. In some cases, I can just ask for a flat amount for all meals. In other organizations, I have to categorize every expense I want to be reimbursed for and then provide a receipt for any charge. In one case, I left out the receipt for a $4.53 Frappuccino, and the complete expense report claiming more than $3,000 was rejected until I could find the receipt.
Though I of course cursed the accounting department, I recognize that they’re just following the rules. Those rules were put in place because of the historical fraud that occurs whenever people submit fraudulent expenses. Clearly in this case, the organization expended more in lost labor costs between my time to redo the expense report and the time spent by someone in the accounting department to review the report thoroughly — twice. However, the processes were put in place to prevent what could become a large amount of fraud in aggregate.
Similarly, time tracking is critical for paying employees inside organizations. If people don’t properly enter and certify hours worked, they may not be paid. Therefore, people enter their information accurately and timely.
Note how nobody argues about most accounting processes. Nobody argues that it’s unfair to the user to not pay them if they don’t complete the time card properly. Nobody argued on my behalf for my organization to pay my travel expenses without the required documentation. Essentially, these accounting practices are a must-do item, not a should-do item. When you want cybersecurity practices to be a must-do and enforceable, you can use these examples that the organization already penalizes employees for not following other critical processes.
After the user has satisfied their business responsibilities, accountants then have review and audit processes in place to ensure that information is accurate, with no discrepancies. For example, I worked in a fast food restaurant where they tracked the number of servings of expensive foods. The restaurant served fried clams, and because the point-of-sale system could track every order, the store manager had to count the available servings at the beginning and end of the shift, and they had to ensure that sales matched the difference in available servings.
Though the clams were a specific example, all mature organizations track just about everything in and everything out. The accounting process looks to ensure proper tracking of financial resources. Some of it is to ensure proper financial reporting for taxes and investors. They look for any deviations in expectations. The reason for deviations don’t matter.
In cybersecurity, you have to apply these lessons and use behavioral analytics, review log files, and otherwise look for evidence of violations of security procedures. Though this is a critical response issue, reviewing this information can also tell you where user behaviors need to be improved.
Much like an accountant’s job is to identify deviations — whether the deviation is caused by error, accident, or malfeasance — when a user deviates from defined practices, the system should not care. It should be identified and investigated. Your organization should detect an action regardless of motivation. For example, if a user attaches a sensitive file to an email, it should be stopped regardless of whether it’s an accident or the user has malicious intent.Whenever a deviation occurs, the type of deviation drives the follow-up process. It’s possible that forms, such as an expense form, will be returned for revision. If something valuable appears to be missing, it might inspire an investigation. In extreme cases, there might be a need for forensic accountants to complete a detailed investigation.
Applying the ABCs of Awareness
The mark of success for an awareness program is that people change their behaviors as required. For security awareness programs, these behavior changes should provide a return on investment and justify the awareness program, as Chapter 8 discusses in detail.
In short, the ABCs of awareness mandate that awareness influences behavior. Behaviors practiced consistently create the culture. Culture in turn provides awareness and drives behaviors.
The goal is for awareness to influence behavior. Then behaviors, practiced consistently, create a culture (or consistent behaviors practiced across the organization), and in the case of a security awareness program, they create a security culture. Your security culture then helps to drive both awareness and behaviors. Figure 3-1 illustrates this relationship.
FIGURE 3-1: The ABCs of awareness.
Having awareness doesn’t matter if users don’t practice the desired behaviors. Most people know not to reuse passwords across multiple accounts, for example, yet you still face incidents unnecessarily because users reuse their passwords. In 2019, criminals published credentials for more than 3,000 Ring cameras in people’s homes. They were able to hack in and interact with children, using passwords that had been stolen in hacking incidents and then sold on the dark web. Though the passwords were from various websites, attempts to use them to access the cameras were successful because the parents had used the same passwords on the Ring account as they did on other Internet accounts.If behaviors are consistently poor, the security culture is weak. If senior employees choose not to wear their badges, a new hire walking into the organization will soon stop wearing their badge too, no matter what the awareness posters say.
Have you ever heard someone say СКАЧАТЬ