Having worked in InfoSec for almost 20 years and as a trainer and college adjunct for over 10, I have done a lot of work, and I mean a lot of work, education and training. Within my various incarnations I have spent hundreds of man-hours creating strategies and the supporting content then delivering it to hundreds, if not thousands, of students and professionals. Topics have included layered defense/security, use and application of encryption for data protection, risk and vulnerability analysis, and security policy and awareness training. It is the latter that I wanted to talk about in this post.
Security policy and awareness are often lumped together and usually perceived as Awareness training on company policies. However, there really is a delineation in topic and tactics as they are two related but different things. First, to be more accurate it should be written, “Security and policy awareness training” because we are attempting to make people aware of security issues/defenses and organizational policy. This may seem trivial but if nothing else, it is more grammatically correct and reinforces that policy awareness and security awareness are two different things.
Policies are primarily created to protect the company from loss or damages from lawsuits, lost contract revenue and lost productivity. Yes, they also protect employees but in most cases, that is a byproduct not a goal. This is easily demonstrated. If the company does not create policies concerning employees’ conduct then other employees may quit or sue over harassment or a hostile workplace. If there is a lack of safety policies, the company may be fined by OSHA or other regulatory organizations, employees can be injured and sue the employer for an unsafe work environment or unions may strike. The latter two impact productivity and the last can cripple a company. I could continue but I think you get the point. Lack of policy ultimately impacts the bottom line.
Traditional “Training Programs”
If there are no compliance or other direct financial motivators, reviewing policy and conducting security awareness training are often neglected. Where compliance or contractual obligations are in place, employers go through the relevant policy handbook(s) reacquainting personnel with the requirements on whatever the required interval is, usually a yearly basis. For convenience, security awareness training is generally attached to the same effort. These programs are generally conducted in one of the following ways:
1) Via email with attachments or pointing employees to a site where they can “read up”. This is probably the weakest approach. Though the manager can show a message was sent, there is little to no validation that personnel received the message or that it was acted upon.
2) Personnel are invited to a 30-90 minute session where a live or web-based presenter goes through some sort of slide-ware. An attendance sheet is passed around so someone has a record of who attended. Though this method has the benefit of a tangible attendance record, it has a fatal flaw; few people want to be there. Attendees are often distracted using their laptops or smartphones to continue working on their daily routine, reading emails, tweeting, engaging in social network or anything else they can think of.
3) At a performance review, a policy sheet or handbook is passed over to the employee by the reviewer. The employee is then notified that (s)he should review the information to keep apprised of policy. The reviewer checks a box that training has been conducted. In some cases the reviewer may actually review key policies with the employee before checking the box. This has potential but falls short. In the first case where no actual review is conducted at that time, few employees will find the time to actually review policies telling themselves that there is little chance that (s)he will violate policy. In the second case where the employer goes over the key policies, the employee actually gets a refresher but those yearly refreshers seldom stick for very long.
Why “Traditional” Programs Fail
These methods allow managers to “check the box” but do little to actually improve the state of security or awareness within the organization. They can fail on many fronts. Content and delivery vary widely, which directly impacts the quality of the education. In many cases, training fails to engage the recipients meaning they do not retain the information for any significant duration. Secondly, all of them fail due to the training interval. General studies show that repetitive (regular interval) training is far better than cramming (yearly sessions) and that it takes about 20 hours to learn a new skill. This tells us that for it to be effective, personnel must receive nearly 30 minutes a week for the entire year.
Additionally, nothing I have mentioned thus far, though considered “security training” by many organizations, is really teaching employees how to be more secure. Some organizations add basic security training such as access badge management, watching for door piggy backers, and changing passwords but do little to help personnel understand how to change their perceptions and activities around security. We begin to learn “real world” security as kids and get reinforcement throughout our childhood but fail to make the transition to the cyber world. Though we are taught not to talk to strangers, many people think nothing of responding to or clicking on a link from an email though we have no real idea who it came from. People lock their doors when entering a bad neighborhood or a strange place but we take our smartphones out with us without a password or pin. We look both ways before crossing the street but are careless with our electronic records.
Every business entity out there has something to protect, intellectual property, personnel information, customer information, physical assets and cash/cash equivalents. Investment in training should vary by the level of risk that the company can tolerate or said another way, be proportional to the amount of loss it can tolerate.
Large organizations spend more on training not just because they have more money but because they have a larger risk due to the attractiveness of their portfolios to attackers. Without training, the larger staff presents a greater physical attack surface. Each employee is a possible target that can be exploited creating the greater risk. However, looking at risk, smaller organizations must not ignore training because of several factors.
Though small businesses have less employees to attack, the culture tends to be more focused on usability and accessibility to company resources to get the job done rather than a compartmentalized or rigid structure. Small businesses also tend to put little attention or budget into security training. Looking at it mathematically, if Company A has 25 employees with no security training that means that each employee is relying only on experience he/she has naturally accumulated to fall back on when evaluating options in response to an attack. This experience will vary by employee so we will use an average of 50% ability to decide appropriately, also referred to as attack resistance. If Company B with 50 people uses appropriate training practices it can realistically raise its attack resistance to 90% and possibly greater, making Company B far more resistant to the same attack. Putting it another way, Company B has more people but any given attack presented only has a 10% chance of success while Company A, even though it has less potential targets that can be exploited, has a 50% chance that any attack will succeed.
Without training, each attack executed is essentially an isolated event; the flip of a coin for which the percentage chance of making a bad decision stays the same for all employees for each attempt.
How We Improve Upon “Traditional” Program Delivery
When training is presented, this starts a change in individuals and ultimately the culture. Look at the analysis of the recent Target breach. Huge announcement that Target had 40 million cards compromised. People were concerned for a few weeks; some people stopped shopping at Target initially but after a couple of weeks were back to shopping at Target for Christmas. Very little residual learning value. There are plenty of other examples of huge data compromises such as TJX and Sony Online Entertainment (EverQuest), which all reported compromises but the reporting of these huge events failed to change customer spending habits for any significant length of time.
However, after starting a training program Company B begins a transformation to a security minded culture. As a security culture spreads, the knowledge curve gets steeper, faster so the ROI for the training investment builds faster than a “natural” learning curve or a reactive learning curve where a faulty decision is used as an alert or warning. Group “memory” becomes longer because personnel learn how to recognize attacks making better choices going forward and sharing that understanding with others in their sphere of influence. Security is now a learned behavior rather than a one-time response.
What it Takes to Make a Better Program
1) Security training should change how people think about the consequences of their actions within an environment. Most of us have learned, based upon situational context, aka learning our environment, if we enter a room with old friends, walk up behind one and say, “Hey man, you are ugly”, the person will most likely laugh and respond with a similar insult and everyone continues on having fun. However if someone tries the same thing in a room of strangers, the outcome is significantly different. Most people have learned how the consequences of their actions differ in different environments so they alter their behavior.
2) Security training has to be engaging (even entertaining) to be remembered and internalized. Few of us remember what we did in school on any particular day but most of us, depending upon our age, can remember our favorite TV show from when we were young or where we were when a significant world event happened because we were engaged having been drawn in by the event and its description.
3) Security training must be repetitive and reinforced. This is pretty straight forward. Humans are creatures of habit. Practice does make perfect.
4) Training is most successful when conducted in a non-confrontational setting and, if an event where a poor choice was made has occurred, as soon after the event as possible. We are most successful in training someone to change his/her behavior post an event. We are less successful in changing behavior, especially in a business environment when we yell at, embarrass, or intimidate personnel. We are more successful when we coach. That is when everyone wins. Personnel feel respected and are highly motivated to improve so employers get a better employee and employees get a better environment in which to work.
5) Completion/Progress and improvement must be tracked. Remember a foundational tenant of quality control is if you can’t track/measure it, you cannot improve it. Once a year, “sign the form” can in no way measure performance, just binary attendance. The tools we use must be able to identify and report on whether or not an individual’s training was started, whether or not it was completed and if it was completed successfully. Only by being able to track use and progress can we identify individuals or organizations that need more support to be successful.
6) Whatever method you choose must be cost effective based upon your size and balance sheet.
7) An effective training program should meet its security goals and not be forgotten over time. If the program fails to improve your organization’s security or your staff forgets about the program soon after its completion, it has not done its job correctly. The top companies in the United States complete an average of 67 hours of training for each employee every year. The training exercises focus on things like team building and conflict resolution, while offering coaching and in some cases, tuition reimbursement for courses taken outside of work. Doing whatever you can to improve your employees’ overall skills can give them motivation to help you reach your security goals.
What It All Means
1) All organizations which have any data or money to protect need Security Policy and Awareness Training!
2) Though they can be approached using similar techniques, Policy Training and Security Awareness Training are teaching two very different things.
3) Security Awareness goes far beyond mere compliance. Security Awareness builds a security culture that reinforces itself significantly faster than a compliance culture because it has repetitive learning and reinforcement delivered by not only the training tools but by the personnel because it changes the way they think.
4) In creating a Security Awareness Training Program, choosing a partner is key. The customer is putting a significant amount of trust in this partner to deliver on not only a normal value proposition but also change the business culture and reduce risk. To make a successful partnership, that partner must meet the six criteria described in “What it Takes to Make a Better Program”.
By instituting a Security Awareness program, you are reducing the odds that you will be compromised in a time when attacks are becoming increasingly widespread. Security Awareness Training is just like any other security investment; it is designed to reduce risk. However, it is one of the few changes you can make that positively and directly affect your most targeted asset, your people.
Enterprise Management AssociatesTM, a tier one analyst firm, is conducting a market research project on IT, Security and end user perceptions on existing security and policy awareness programs effectiveness.
Some of the key goals of the project are to identify, by industry:
1) Deltas between the quality of what IT and Security think they are delivering and what end users think are getting.
2) Gaps between spending on technical/job training and Awareness training.
3) Can/How organizations measure training effectiveness.
Please visit my blog at Enterprise Management Associates here to learn more about the research and sponsorship opportunities.
David Monahan | Research Director, Enterprise Management | @SecurityMonahan
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions.
