Название: Security Awareness For Dummies
Автор: Ira Winkler
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119720942
isbn:
Though the intent of the model is clearly based on individual motivation, you can consider this mapping at a group level to determine the abilities you need to create within the overall organization. Abilities are the skills your awareness program needs to create or encourage so that the users have the requisite knowledge to complete the desired behavior. Likewise, you can create consequences to create perceived motivations across the entire organization. Awareness can also make people aware of the prompts to better trigger the desired behaviors.
For example, food service workers are mandated to wash their hands after using the restroom. This task requires minimal ability, so all that’s required is the appropriate prompt, or nudge (discussed in Chapter 7). The prompt is frequently a sign in the restroom stating that employees are required by law to wash their hands before returning to work. The prompt is simple, and sinks are immediately available. The motivation is a reminder that the workers can be punished for not washing their hands.
Prompts (or nudges) should be placed as close as possible to the spot where a behavior should be exhibited. For example, if you want people to lock their desks or computer monitors when their desks are unattended, put a reminder on their computers or desks — or at the exit to the office/cubicle area.
Relating B:MAP to the ABCs of awareness and behavior
Culture and consequences also have an impact on motivation and prompts. Peer pressure can be quite a strong motivator. The desire to avoid disappointing peers is a critical motivator, and if peers create a negative consequence for an individual not performing an action, it again incentivizes the action.
Also, if the culture regularly prompts the action, you will find the action much more likely to occur. This may include employees policing each other about sensitive subjects to avoid outside of the workplace.
At the same time, your awareness program should provide information and other resources to increase the ability of the individuals to perform the actions. This might be, for example, better instruction on how to detect and report phishing messages.
As an awareness professional, your job is technically to create awareness of the desired behaviors. You should also look for opportunities, however, to suggest technical tools that can be added to increase abilities and prompts. You will likely have to work with other teams to accomplish this task, but it’s worth the effort. For example, adding a button labeled Report Phishing Message to an email client can increase the ability to report a potential danger — while also providing a constant prompt. This would likely involve working with the endpoint support team.
Though behaviors may be related to an individual’s motivation and abilities, you can analyze the behavior at a macro level to identify how to improve the overall motivation and abilities of individuals. You can then decide on ways to improve prompting as well.
The Forgetting Curve
The Forgetting Curve, shown in Figure 3-3, describes the rate at which individuals forget information when it isn’t reinforced in memory. Suppose that I introduce you to someone, for example — the longer you go without being reminded of the person’s name, the less likely you are to remember it.
FIGURE 3-3: The Forgetting Curve.
Security awareness programs naturally rely on users’ retaining information, much of which may be new to them. Suppose that you show people a three-minute video and then administer a three-question quiz on the content of your program. If users have no reason to recall that content beyond the training session, their ability to recall the information declines quickly, until eventually they forget the information altogether. Fortunately, you can offset users’ memory decline by building a reinforcement strategy into your program.
This list describes some ways you can try to “interrupt” the Forgetting Curve and slow the rate of forgetting among users:
Reminders: Provide periodic reminders to refresh and enhance users’ knowledge. These can be posters, mouse pads, or any other “nudge” item that provides a frequent trigger for the information.
Significance of information: Convey the significance of the information you share in your communications. If users assign significance to what you’re saying, they may automatically (like magic!) embed the information into long-term memory. This can include describing significant harm experienced, or, potentially, penalties for violating the procedures described.
Memorable presentations: Present information in memorable ways, such as by using humor, outside speakers, or unique formats.
Show connections: Tie the information to other memorable lessons, such as relating a past incident to how the application of your information could have prevented it.
Reminders interrupt the Forgetting Curve and are more likely to result in long-term retention of the information.
Remembering That It’s All About Risk
When I speak at various events, I sometimes ask my audience, “Who is a security professional?” Of course, everyone raises their hand, and I reply, “You are all failures.”
I go on to explain that the dictionary definition of security is being “free from risk,” and you can never be free from risk. Therefore, you will always fail when your stated goal is security. Supposed “security” professionals are charged with risk management, or determining risk and then mitigating that risk as long as mitigating the risk isn’t more expensive than the risk being realized.
Risk can have different meanings in different professions. As I advocate throughout this book about the need to deliver and demonstrate risk reduction, the remainder of this section defines what I mean by risk reduction in a way that you should be able to share with others — especially those people whom you report to or need to show your return on investment.
Optimizing risk
When you create a security awareness program, you want to create the most risk reduction while using the least resources. To optimize your efforts, make it your goal to influence as many people as possible, but don’t expect to influence everyone. You can potentially influence everyone, but that means dealing with everyone individually, and unless you’re in a very small organization, this approach is impractical and too expensive. From a practical perspective, if you spend more on your awareness program than you save through your efforts, your program will be a hard sell to management.
To discuss risk, you need to have a working definition of risk that you can use to step your organization through the costs and the expected rewards. This should also include the definition of exactly what is at risk. The following sections should help with the process.