I like to call the art and science of giving clueless people a clue through security awareness training Clufology. Therefore, I must be a Clufologist.
My job is to increase the security cluefulness of IT novices and other clueless computer users. When I think about how many clueless folks there are out there, I know I have a job for life.
Just look at parents who ask their kids to install parental monitoring software, CEOs who think password rules don't apply to them, and hunt-and-peck typists who can't press Ctrl-Alt-Del at the same time and never log off. Not forgetting Ma and Pa and everyone else who thinks that a new PC is forever protected against malware and viruses.
Too many clueless users to count, but it's not their fault! Unless they are taught to care, we cannot blame them for technical ignorance.
In teaching Cluefulness, we must not accidentally create legions of well-intentioned, but wholly ill-equipped, users who fancy themselves security experts. The goal is simpler: teach the clueless when to call the security experts.
Simple dos and don'ts
Users need to know that just because they can do a thing, it doesn't mean they should.
To click or not to click on email attachments? Surf any and all websites? How about password management, or the IM codes their kids are using?
Families have their rules and so do companies. Being Clueful is knowing what to do, what not to do, and why.
Becoming a human firewall
Users need to recognize the threats to themselves, their organization or environment and then rapidly make a proper response. They should know the threats to the security triad – cyber, physical and people. They should also be able to manage the loss of critical personal or enterprise information.
Principles and policy
To achieve high levels of Cluefulness, users should understand the underlying principles of security: integrity; confidentiality; availability; encryption and keys; wireless; bandwidth limitations; and access control. Becoming Clueful is no harder than learning a few desktop apps.
I know this might sound simple, but getting there is the other 90 percent of the job. The Clunician uses many different tools and techniques to help make users more clueful. My Clufological guidelines are pretty simple.
Make awareness fun
First, security awareness must be entertaining. Turn your staff's arm-crossed defiance into enthusiastic cooperation. Gaming is one of the most effective interactive and immersive learning techniques. Absorption in any subject virtually guarantees retention – and that is the pro-Clueful goal, after all.
Compliance and awareness assessments can actually be fun – if you dare.
Make awareness personal
Forget your policy for now. Most employees don't care. Tell your staff how to protect their families first. They do care about their spouses and children. Make them Clueful about ID theft, online banking, illegal downloading.
If you teach your staff how to protect their families, you are teaching them what you want them to do at work. By making it personal, security policy compliance will soar.
Measuring Cluefulness
If you can't measure it, why would you do it?
Security and Cluefulness training does not have to be expensive, but you still want to know how your money is being spent.
You will likely discover that security awareness programs are a measurably effective way to allocate tight security budgets. My Clumetrics system, for example, uses a simple scale ranging from Clueless to Clueful (0 to 100).
Successful security awareness programs and Clueful staff can increase efficiency and strength through less downtime, faster reaction and security event mitigation, and better privacy practices. All of which means a much more productive work environment.
Winn Schwartau is an author and head of Interpact, Inc.
