SAN FRANCISCO – At any gathering of infosec pros – like here at the annual RSA Conference – you can find people regaling colleagues with stories of employees who, despite regular training, do something online that endangers the enterprise.
“You can’t fix stupid,” is their common refrain.
That word infuriates Lance Spitzner, director of the SANS Institute’s security awareness training program. The fault isn’t with users, who he calls the human operating system, but with infosec pros.
“For us technology its simple,” he told a conference session, “so when people do not change behaviour we think its a motivational problem. So we run around with a big baseball bat beating people on why it’s so important and why they have to do it.”
But technologists suffer from ‘the curse of knowledge,’ he said. Because they understand things we think proper behaviour is easy. In reality it isn’t – like creating long passwords with different characters for each application, and being forced to change it every 90 days.
“This is failure,” he said – not only failure for the individual, but also for the entire awareness training program.
Much smarter would be for CISOs to install password managers so users only have to remember one password.
“Cyber security is scary to a lot of people, overwhelming to a lot of people because we’ve done a very poor job of communicating it in a very simple manner.”
To create a successful awareness program three questions have to be answered, he said: Whose behaviour should be changed, what behaviours should be changed and how are they to be changed.
The who determines the what and the how, because people learn differently – so training has to tailored.
For example, he said, employees with communications backgrounds (sales, marketing, advertising) sometimes make the best awareness training officers because they understand how to communicate.
On the other hand there’s a wrong assumption that th”Those with tech-related roles are a more secure group. “They often need a little extra love and training.” Same with senior management (The secret, he said, is to train the executive assistants.)
So start with creating target groups, or persona. “Once you understand who your target groups are then you can begin to shift to what you’re going to teach them.”
The wrong move is to try to teach them everything, Spitzner said.
“The hardest part of your job is figuring out what not to teach people. What are you going to cut … People can only remember so much. You have only so much time. So teach as few behaviours as possible. Make every behaviour as simple as possible.”
Start with narrowing down the biggest risks the organization faces based on an analysis of most common reported incidents. (Phishing, passwords and accidental — losing a device, emailing the wrong person because of auto-complete — are the most common, he said). Then identify key behaviours that will manage that risk.
To change behaviour the CISO has to prioritize, he maintained.
Then make things simple. For example, if losing smart phones are a problem the behaviour to teach might be activate a screen lock. If you can teach a second behaviour, it might be ‘Where ever you are regularly pat your pocket to make sure your handset is with you.’
And make sure the behaviour you want staff to adopt isn’t costly – like forcing them to change passwords every 90 days.
A simple solution might not be ideal, Spitzner admits, but at least they’ll be doing it.
As for how to change user behaviour, it involves communication, collaboration and culture. “We have to reach them emotionally,” he said. So make campaigns engaging, fun and positive.
One company with a younger, outgoing culture created a cartoon mascot called the Data Monster, with the slogan “Don’t feed the monster.”
“Traditionally awareness programs are push – send out an email … We want to create programs that people can consume on their own time.” Think wikis, but also staff ambassadors who help others.
But, he adds, training has to be regular – newsletters, posters, lunch-and-learn, podcasts.
Regarding metrics, what counts are numbers that show if the training has made an impact. Decide what the most important behaviours and find a way to measure them.
Metrics fail when people are embarrassed, he added, so don’t report people who fail a test the first time or run a phishing test with a Viagra offer. The number one way metrics fail is when testers decide tricky tests to “get” users.
Don’t be afraid to take a department out to lunch to find out what they are seeing and their biggest concerns – and to spread the word about security. It works, Spitzner said.
Finally, find and partner with an executive champion. “They bring you credibility and they also help you communicate to senior leadership, and you need that for long-term sustaining.”