Around this time each year, as Cybersecurity Awareness Month approaches, I am regularly asked to present to customers and prospects on best practices relating to information security awareness programs. For all the years I’ve done this, my talk track hasn't significantly altered, as the core security awareness challenges within the end-user population at most organizations are largely unchanged.
Rather than walk through some of those tactical “do this, not that” recommendations, let’s step back and put on a different set of glasses, so we can raise awareness to a new way of thinking about how to build out content, or even an entire security awareness program.
I am a big believer in looking into other industries, and even across history, to see if someone else has already solved an important problem. Why reinvent the wheel when someone else has already arrived at a solution?
When we consider some of the words we use when talking about security awareness, such as “hygiene,” “habits,” “safety,” and “community,” security pros might also recognize those concepts from the world of healthcare. It's not an accident these two worlds share these concepts. Both worlds seek to deploy knowledge as a weapon against ignorance or carelessness.
In most healthcare educational efforts, awareness does not function as the same thing as behavior change. It's this latter goal of achieving behavior change which is both ambitious and necessary – and one which completely applies to security awareness programs.
What are some of the building blocks to successfully changing problematic behaviors to prevent negative health outcomes? Start with the foundational importance of good hygiene, both outside the house and inside the house. Different individuals assess risk differently: Do I really need to wash my hands before every meal? The Health Belief Model seeks to understand why some people fail to adopt good health habits – two key components of this model are perceived susceptibility: “I'm very healthy, so I don't need to worry,” and perceived severity: “Even if it happens to me, it won't be serious.” Many companies have employees who believe they are invincible, or at least more careful than the next guy, when it comes to safely using the Internet and its tools.
Effective health communication efforts plan upfront to identify the at-risk populations first, and then deploy one or more tailored messages designed to resonate with those groups. Designing a message to reach the audience in the correct context and rewarding individuals to encourage new habits are typically both signs of a successful approach.
This point about the right context sometimes gets overlooked. People should employ good health habits wherever they are, at work or at home. From a security awareness perspective, do we have an on/off switch that fundamentally changes a person’s online behaviors at work versus at home? No, usually not. However, many security awareness programs focus exclusively on at-work behavior, and at-work use cases. This is a missed opportunity to approach each employee as the whole person they are.
Even where we might see conflicting approaches, there are more than a few ideas to pluck from healthcare communications to consider for reuse in a security awareness program. For example: anti-smoking studies suggest that weak, but sustained educational efforts are more effective than a strong, but brief effort. Although, when we look to other studies reviewing medication adherence, we find an opposite conclusion: relying on longer educational campaigns allows for more time to backslide after initial compliance. Short, persuasive campaigns are often more effective at reaching a greater proportion of people in the intervention communities than long persuasive campaigns.
There’s no one-size-fits-all answer here. And there’s no one security awareness program that works everywhere. Yet, I can promise that the time a company spends mining the world of healthcare, and other resources outside cybersecurity, will absolutely spark some new ideas.
Don't settle for merely checking the box with a company security awareness effort. Ensure that use cases speak directly to the users the company wants to reach; always work to meet the audience where they are, at both work and home. Make the content easy to consume for both two-decade veterans and fresh-out-of-college new hires, think about how to best deliver the messaging and how long each message should run. Don't be afraid of repetition, and identify and recruit security-aware “embedded” coworkers from each department as this can function as a force multiplier for the company year-round, not just during its annual training exercise.
The sooner that everyone in the organization realizes that they are front-line members of a security team, the sooner the company will accomplish its goal of creating a self-aware, security-conscious population who will respond appropriately when they face security threats.
Ben Smith, Field CTO, NetWitness
