Security Awareness For Dummies. Ira Winkler
Чтение книги онлайн.

Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 19

СКАЧАТЬ dishwasher. The action line represents the theoretical point where the combination of the motivation, action, and prompt is likely to have an individual take a desired action.

      Though the intent of the model is clearly based on individual motivation, you can consider this mapping at a group level to determine the abilities you need to create within the overall organization. Abilities are the skills your awareness program needs to create or encourage so that the users have the requisite knowledge to complete the desired behavior. Likewise, you can create consequences to create perceived motivations across the entire organization. Awareness can also make people aware of the prompts to better trigger the desired behaviors.

      For example, food service workers are mandated to wash their hands after using the restroom. This task requires minimal ability, so all that’s required is the appropriate prompt, or nudge (discussed in Chapter 7). The prompt is frequently a sign in the restroom stating that employees are required by law to wash their hands before returning to work. The prompt is simple, and sinks are immediately available. The motivation is a reminder that the workers can be punished for not washing their hands.

      

Prompts (or nudges) should be placed as close as possible to the spot where a behavior should be exhibited. For example, if you want people to lock their desks or computer monitors when their desks are unattended, put a reminder on their computers or desks — or at the exit to the office/cubicle area.

      Relating B:MAP to the ABCs of awareness and behavior

      Culture and consequences also have an impact on motivation and prompts. Peer pressure can be quite a strong motivator. The desire to avoid disappointing peers is a critical motivator, and if peers create a negative consequence for an individual not performing an action, it again incentivizes the action.

      At the same time, your awareness program should provide information and other resources to increase the ability of the individuals to perform the actions. This might be, for example, better instruction on how to detect and report phishing messages.

      

As an awareness professional, your job is technically to create awareness of the desired behaviors. You should also look for opportunities, however, to suggest technical tools that can be added to increase abilities and prompts. You will likely have to work with other teams to accomplish this task, but it’s worth the effort. For example, adding a button labeled Report Phishing Message to an email client can increase the ability to report a potential danger — while also providing a constant prompt. This would likely involve working with the endpoint support team.

      Though behaviors may be related to an individual’s motivation and abilities, you can analyze the behavior at a macro level to identify how to improve the overall motivation and abilities of individuals. You can then decide on ways to improve prompting as well.

      The Forgetting Curve

Graph depicts the Forgetting Curve.

      FIGURE 3-3: The Forgetting Curve.

      This list describes some ways you can try to “interrupt” the Forgetting Curve and slow the rate of forgetting among users:

       Reminders: Provide periodic reminders to refresh and enhance users’ knowledge. These can be posters, mouse pads, or any other “nudge” item that provides a frequent trigger for the information.

       Significance of information: Convey the significance of the information you share in your communications. If users assign significance to what you’re saying, they may automatically (like magic!) embed the information into long-term memory. This can include describing significant harm experienced, or, potentially, penalties for violating the procedures described.

       Memorable presentations: Present information in memorable ways, such as by using humor, outside speakers, or unique formats.

       Show connections: Tie the information to other memorable lessons, such as relating a past incident to how the application of your information could have prevented it.

      

Reminders interrupt the Forgetting Curve and are more likely to result in long-term retention of the information.

      When I speak at various events, I sometimes ask my audience, “Who is a security professional?” Of course, everyone raises their hand, and I reply, “You are all failures.”

      I go on to explain that the dictionary definition of security is being “free from risk,” and you can never be free from risk. Therefore, you will always fail when your stated goal is security. Supposed “security” professionals are charged with risk management, or determining risk and then mitigating that risk as long as mitigating the risk isn’t more expensive than the risk being realized.

      Optimizing risk

      When you create a security awareness program, you want to create the most risk reduction while using the least resources. To optimize your efforts, make it your goal to influence as many people as possible, but don’t expect to influence everyone. You can potentially influence everyone, but that means dealing with everyone individually, and unless you’re in a very small organization, this approach is impractical and too expensive. From a practical perspective, if you spend more on your awareness program than you save through your efforts, your program will be a hard sell to management.

      To discuss risk, you need to have a working definition of risk that you can use to step your organization through the costs and the expected rewards. This should also include the definition of exactly what is at risk. The following sections should help with the process.