One Thing at a Time
Today, let’s discuss an iterative approach to security awareness: Improve one area, then move on to the next.
Getting information out to the masses is a step in the right direction, but don’t view it as the entirety of your security awareness program.
Security awareness is not a “one-and-done.”
Securing users must be integrated into your overall information security posture.
We look at security awareness as a lifecycle (Security Awareness Lifecycle – SALC).
The phases include: Identify & Define, Baseline, Train, Track & Measure, Update. This is discussed in our 2016 white paper: Security Awareness and Training: Solving the Unintentional Insider Threat.
Whether you are designing a program for the first time or improving upon an existing program, an iterative approach can be used.
Focus on one topic or outcome at a time.
You may be tempted to deliver all of your security concerns and solutions in one training session. Don’t do it! People balk at receiving too much new information at once. This is why we like the idea of “bite-sized” content. Also consider that people need to see something several times to internalize it. This is known in Advertising as “effective frequency.” Awareness is about getting the message out there (which is similar to advertising).
Let’s take an example of one focused outcome and follow it through the SALC.
Identify a specific area of improvement and define its desired outcomes.
Unlocked, unattended workstations or devices allow an ill-intentioned insider or outsider access to privileged or confidential information.
The desired outcomes are 1) all users voluntarily enable the screen lock on their computer when it is out of sight and 2) all users voluntarily secure work-issued smartphones and tablets in locked drawers or locked offices while away.
Baseline how well users currently do this.
Conduct walkthrough inspections (without making it known) and track any unlocked, unattended workstations and unsecured devices. Check at different times of the day (mid-morning, lunchtime, after hours) and over several days to capture a true picture.
Train users on the actions to be taken.
In terms of delivery, try to work it into existing training workflows and set a hard deadline (e.g. one month).
Things to keep in mind when training:
- Why is this particular training important?
- What action do you want them to take?
- How should they perform the action?
- What questions do they have and how can they submit these questions?
Ask for feedback such as “Did you understand how to do this?” or “Are there any challenges that are keeping you from doing this?” Let users know you’ll be on the lookout for violations of this use policy. This does several things:
- Users are put on notice to the importance of this topic.
- Users feel comfortable giving feedback and asking questions.
- Users expect follow up.
It’s time to track training progress and measure effectiveness.
If you made training mandatory, record the completion rate and determine whether the training helped deliver the desired outcome.
Soon after closing the training activity, test users with another walkthrough inspection. This time, publish the results. This shows you are focused on this issue and are actively monitoring it. If you don’t track it, users will not perceive the importance.
Revisit the Train and Track & Measure cycles as often as needed.
Regardless of the outcome, it’s a good idea to continue training through reinforcement activities. These can be spaced throughout the year or immediately following the last Track & Measure activity.
Simply publishing the results of walkthrough inspections helps with reinforcement. Other ways to reinforce include signage—especially near break areas where users have gathered away from their desks. Another method? Place a note on the desk of those who left their workspace without securing equipment.
Finally, incorporate the results and feedback from users into your information security posture.
This may be in the form of an Update to training or an Update to policies/procedures.
Did you find that new employees are more likely to violate the policy because they missed the mandatory training and therefore need this training as they come on-board? Do some users just not know how to voluntarily initiate a screen lock? Do others need a lockable office/drawer in which to place their mobile devices? Remove as many obstacles as possible so users can adhere to the policy.
Look for more on the Security Awareness Lifecycle in future posts!