Imagine a network of intelligent sensors and content filters that connects to every endpoint in an enterprise network. It is scalable, resilient, adaptable, and features the gold standard (for the moment at least) in natural language processing. It has an average uptime of 98% during business hours. Even better, all organizations already have this tool. They just have to figure out how to configure it.
We are not talking about the latest firewall or intrusion protection system, but an organization’s users. We realize that the user population doesn’t normally fall within the traditional idea of a control, but to think this way is to miss an opportunity. We are talking about a part of security governance that doesn’t get as much attention as we think it deserves, which is information security awareness training.
Like all distributed, versatile systems with a deep feature set, the user population doesn’t function well as a sensor network at first, and understandably so. People have their actual jobs to worry about, which is why phishing remains such a reliable attack vector, and part of why the industry tends to describe humans (including security professionals!) as “the softest of targets.”1 As we have noted elsewhere, “When trying to take over a system, you want to exercise control at the element with the greatest variety of behavioral responses. In most organizations, this element isn’t the technology but the users.”2
Most organizations try to address our inherent human exploitability with third-party security awareness training that, if we’re honest, is often a bit disappointing. It feels like many of these courses are both created and chosen with the goal of ticking a box in a compliance checklist rather than really limiting risk—and certainly not with the perspective of turning the user base into the amazing detection and prevention network that it could be. To be fair, however, security awareness training is hard to get right.
Why Is It So Hard?
The main reason it’s difficult to get users to engage with security awareness training is that security is not part of their jobs. Users are getting paid to do something else, and they have plenty of it to do. Most users are also not personally interested in security, except insofar as it relates to their privacy and financial security. Security professionals often exacerbate this interest gap by oversharing about their passions. We dive into the weeds because that is what interests us, rather than tailor our training to what the prototypical user actually needs and wants to know.
A deeper issue is that there really is no such thing as a “prototypical user.” Organizations are made of people with an extraordinarily wide spectrum of experience, interest, and responsibilities. All of them need to take the training, which means that there are tough decisions to be made about content. How much detail do you include? How ominous do you make it sound? How many specific cases do you go into? Chances are that you’ll bore someone no matter what point you pick in the spectrum, and if you choose the middle path, you may just bore everyone.
There is also the potential to go overboard and scare everyone. While it is valuable to alert people to the personal and organizational risks that security breaches present, it is also possible to overstate the risk and make people feel trapped, helpless and paranoid. Security training must explain both the problem and the solution in a way that doesn’t make people feel overwhelmed or disempowered.
How to Improve Security Awareness Training
Make it brief: People have things to do.
Make it relevant: Security doesn’t exist for its own sake. Because information security breaches hurt everyone, and we often feel (right or wrong) that we are acting in the public interest, security practitioners often make the mistake of assuming that issues like security and privacy are inherently interesting to everyone. Instead, emphasize that controls and training like this exist to enable the business, not to keep us employed or take up valuable time. It is not about the sharing of esoteric knowledge, it is about managing risk to both the organization and its people.
Make it personal: Create training content that feels organically important to their concerns, and not just ours. As financial and legal penalties for data breaches continue to mount, breaches increasingly represent an existential threat to businesses. Emphasize that complacency or resistance to security measures can hurt everyone, not for disciplinary reasons but because the business might fail. In addition, because enterprise information systems contain significant amounts of employee PII, breaches represent significant threat to individuals’ privacy and financial health. You might remind them that the enterprises are the medium of data exfiltration.
Make it solvable: While it is important to stress the that information security risk is real and applies to everyone, it is also easy to overstate the risk or complexity. This can have the unintended consequence of making people feel frustrated and powerless, leading people to circumvent controls, fast-click through training, and tune out.
Instead, treat security as a problem that is manageable, but only with the active, informed participation of everyone involved. Security awareness training is the best opportunity to speak directly to all users and exhort them to participate in a shared cause. The worst thing you can do is make it feel like a cheap, mandatory, pointless piece of training, with a canned presentation full of hacker stereotypes and obsolete concepts. Instead, be present, be empathic, be believable, and be there to help users, not coerce them. The psychological impact when people feel both empowered and responsible can transform your users into your field agents.
Our Approach
Our approach to security awareness training boils down to a few critical points:
- Threats are real, but we will all work together to minimize risk.
- If you see something suspicious or out of place, call Security.
- If the security team asks you to do something, or not to do something, there is a good reason why.
In practical terms, the attack modes that end users are most likely to experience are of the social engineering type, like phishing and tailgating. Teaching users about different types of malware, obscure exploits, and telling them war stories from the old days is not particularly useful. Instead, give people the tools and the support system to recognize and mitigate the threats that they are likely to experience.
As our colleague and occasional F5 Labs contributor Mike Levin notes, “Most employees may not recognize where customer service ends and social engineering begins. Training and policies would easily help and provide needed direction.” In other words, the users can be the weakest link, but they can also be the strongest. The difference between a bunch of “soft targets” and your properly configured, intelligent, adaptable network of sensors and filters boils down to one thing–how well you execute your awareness training.