Re: Security Awareness Feedback

[Gary Flynn <flynngn () JMU EDU>]

Melissa Guenther wrote:

> I have been assigned a project to help determine the status of
> Security Awareness interventions.  In such, I am polling both
> individuals and groups on the question below.  I am asking that you
> provide formal and informal information that answers the question.
> Ideally, you will scrub all identifying information before sending -
> as a precaution, I will recheck to make sure names and other
> information is removed.  I will be happy to send anyone interested the
> final report.
>
> Question - Why is security awareness typically such a failure?  It is
> mentioned in 3 places in the 7799 spec.  It is usually considered only
> slightly less important than policy.  Yet, it seems to be uniformly
> poorly implemented.
>
> Note -For purpose of this study:
> There is no such thing as "Security Awareness Training." The purpose
> of awareness efforts is to focus attention on security and possible
> adverse impacts from a security failure. Heightened awareness allows
> individuals to recognize security concerns and respond accordingly.
>
> During awareness activities the learner is a passive information
> recipient, while the learner in a training environment takes on a more
> active role. Awareness aims to reach broad audiences with attractive
> packaging techniques. Training is designed to build knowledge and
> skills to facilitate job performance.
>
> Learning achieved through awareness is short-term, immediate, and
> specific. Training involves higher-level concepts and skills. For
> example, if a learning objective is "to increase use of effective
> password protection among employees," an awareness activity might
> involve using reminder stickers on computer keyboards. A training
> activity might involve computer-based instruction in the use of
> passwords, especially how to change passwords for organization system.

Hi Melissa,

I interpreted "failure" in your question to mean "ineffective".

1. Because people get bored with generalities and
   oversimplifications they hear over and over and that they
   think they have covered. Or that don't apply to the task at
   hand. Or they get frustrated with specifics that are so
   numerous and changing that they can't keep up with them.

2. Because, in the haste to complete day to day activities,
   oft heard warnings are dropped in priority to complete
   the task at hand. They feel pressure to get something
   done Right Now and take shortcuts. Or make mistakes
   in haste. In some sense, only controls which prohibit the
   undesired activity are effective against this e.g. system
   enforced password complexity rules, network access
   controls, limited privilege user accounts, mail filtering,
   TCPA enforced software restrictions, etc.

   When a person is up to their neck in alligators day after
   day, they tend to become inured to them so they
   can get the swamp drained.

3. Because while everyone agrees security is important,
   there is a perception that someone else is taking
   care of it. Some folks feel overwhelmed by the
   responsibility. Some folks don't realize how much
   it depends upon them. Some folks don't realize the
   compromises that need to be made to achieve a
   particular level of exposure.

4. Because sometimes its not important to people until something
   bad actually happens to them (individually or collectively).
   Witness last Fall's Blaster effect on the awareness of
   network access filtering best practices and Windows
   Updates. Or the effect of losing one's Internet access
   on getting anti-virus software installed and infections
   cleaned. Or the threat of a lawsuit on copyright violations.
   Who would have put up with today's airline searches
   five years ago?

5.  Superficial awareness is inadequate. At least in today's
    environment which is likely to persist for at least a few
    years. Its only the start. A core understanding of underlying
    issues must be imparted in order that the principles can be
    interwoven into daily activity which may change from person
    to person, task to task, threat to threat, or day to day. And
    then it has to be made a priority - by forcing it technologically,
    by making it an organizational priority, and/or requiring
    it for access.

   1. A basic knowledge of what a computer is underneath
       all the GUIs and splash screens that have covered up what
       hasn't changed in the past thirty years needs to be acquired.
       What a program is. What it can do. What an icon is. What
       a server and client is. Basic architecture of email, web, and
       network/Internet. What a user account and password is.
       It doesn't have to be mind numbing technical. This has
       benefits beyond the security scope.

   2. Focus on some security basics that have been around a lot
       longer than computers:

       a. Principle of least access
       b. Principle of defense in depth
       c. Issues of trust and authentication
       d. Complexity vs security
       e. Need for maintenance and monitoring

  3. Show the threat environment through real examples.
      Demonstrate a need. Make it personal.

  4. Teach how to apply the basic security principals in every
      day activities with an emphasis on a generic understanding
      rather than what icons to click or what products to
      install.

Is eight hours of training to protect personal and organizational
information and operation too much? An hour or two is often
spent teaching Word, Excel, or Windows. Why not something
that will last beyond the next release?

I'll end this tirade by relating what I hope is an interesting
and amusing experience that is tangentially related. I was
asked to present our awareness talk at an organization who
acquaints seniors with computers. One of the problems related
to me in this endeavor was that the participants were scared
to do anything for fear of breaking something. Unbeknownst
to me, throughout the prior six weeks it was stressed that
the participants should just click something if they didn't know
what it was to learn about it. I spent the first half of the
presentation telling what kinds of things are occurring today.
The second half in protective measures. Imagine the dismay of
the instructors and students when one of my bullet items was
"If you don't know what it is - DON'T CLICK IT".
I haven't been invited back since. :)

Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.