What is security awareness anyway, and should we care?
Guest Contributor: David Dunmore, IT Security Trainer
Let’s start by deciding what we mean by ‘Awareness’ and ‘Security’ in this context.
- Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
- Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
Security is a broad term, including:
Physical Security – in a business context, this includes access to buildings, (Locks on doors, windows and other potential access points, walls, fences and entry/exit gates. Within this, there is the question of restricted access areas (Computer suites, research labs, areas where dangerous and/or high-value materials are handled or stored.
Physical security can also include security of power supply (UPS/backup generators/Solar PV) and water supply, as without these an office or factory cannot function.
Cyber Security – Again, this is a broad area, including perimeter security (Network Intrusion Detection Systems) Web and other outward facing systems in the DMZ, Email scanning, packet inspection (deep or otherwise) security on servers (Host intrusion detection systems).
Other simple, but often overlooked aspects of network security include setting strong passwords for admin accounts on ALL servers, routers, switches and all other network attached devices (including workstations), and MAC address filtering.
What is security awareness training
Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT). Employees should receive information about who to contact if they discover a security threat and be taught that data as a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contract or temporary staff. Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.
Although security awareness is usually thought of in a business context, it is also important for people to have a good level of security awareness in their lives outside of work. From a business perspective this matter, as if someone’s home computer is compromised, any documents they create or modify for work, or any work-related emails they send could carry a malware payload.
Why should we care?
The number of cyber attacks is increasing and shows no sign of even leveling off anytime soon.
Half of UK businesses were hit by cyber attacks in 2016
(source: https://www.telegraph.co.uk/technology/2017/04/19/cyber-attacks-hit-half-uk-businesses-2016/ )
Hackmageddon compiles Cyber attack statistics on a regular basis, they have some 2018 statistics and historical data at: https://www.hackmageddon.com/category/security/cyber-attacks-statistics
It’s very easy to fall victim to a phishing attack, particularly if there’s a link in the email. Remember to ‘JUST STOP AND THINK BEFORE YOU CLICK THAT LINK’.
SANS has a pdf that talks about the importance of security awareness training at:
A copy of which is attached below
Teaching security awareness.
Traditionally security awareness training has been thought of as a ‘one-off’ exercise, perhaps repeated annually. But, to be really effective it must be thought of as an ongoing, cyclical process with some means of reliably measuring the effectiveness of the training. The cycle might be something along these lines:
- Full/refresh session (new starters would be required to have this session)
- Quarterly update/refresh sessions
- Ad-Hoc update sessions if a serious new threat emerges which could potentially have a significant impact on the business.
- Ongoing, un-announced phishing/spearfishing and other exercises conducted by the corporate IT security team. These exercises would have to evolve over time in order to reflect the ever-changing threat landscape. Anyone who gets caught is offered extra training and some form of positive reinforcement. Blame and punishment should play no part in the process.
- Positive reinforcement in the form of some small reward (cash/gift vouchers/flowers/whatever/ for those who don’t get caught.
The PCI Security Standards Council have a ‘best practices for implementing security awareness training’ document at: https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
a copy is attached below.
Academic studies on Security Awareness
Note: I have a number of security awareness related papers, and I can provide copies on request.
In 2010 Eirik Albrechtsen and Jan Hovden described a method of increasing security awareness and evaluated the results. The authors’ methodology for the study can briefly be described as follows: A survey was conducted among the participants prior to the sessions, to gauge pre-existing security awareness. The security workshop sessions of 2 hours each were held. Another survey was conducted among the participants one month after the workshop sessions to gauge any changes in the participants’ level of security awareness.
A final survey was conducted among the participants six months after the workshops to the sessions to gauge the level of retention of any changes in security awareness
There was also a control group surveyed, who did not participate in the workshop sessions.
The Structure of the Workshop Sessions (Eirik Albrechtsen, Jan Hovden 2010)
Each Workshop session was run for between 15 and 20 participants. They were told that the session was a discussion forum and that they would mostly be talking among themselves. In this way the participants would provide their various ideas about computer security to create a common pool of ideas, thoughts and (probably) increased awareness. Following this introduction, they were shown a short (5 minutes) security related cartoon film which provided a simple introduction to information security and the parts played by those involved in security work. Next came the first Plenary Session, where the group was asked ‘Why do we need security?’. The group then discussed how security was important to their organization, which has to provide information to the general public on a 24/7 basis. Also, they considered how each individual has a part to play in security work. Then the group was divided into smaller groups of 2 or 3 to discuss various scenarios. The scenarios discussed were common security-related situations like: In a public file folder, you find that you can open and read a document containing confidential and potentially damaging information about the company’s ethics or financial situation. What do you do?
After which, the results were discussed by the whole group in a second plenary session. In this way, every participant’s experiences and thoughts were shared by the whole group. Next, the staff running the session showed some slides containing ten security rules, and the participants were each given a laminated quick-reference security guide before a quick (5 minutes) summing up.
Following the session, the participants were surveyed twice, 1 month and 6 months after the original session.
The analysis of these surveys showed a significant change (Improvement) in the participants’ security awareness.
Areas where participants reported changes in security awareness and/or behavior 1 month and 6 months after the study (Eirik Albrechtsen, Jan Hovden2010)
NOTE: The questions presented fixed alternatives, but the participants could provide more than one response.
The majority attributed their change in security awareness and/or behavior to attending the workshop sessions.
Causes of changes insecurity awareness and behavior (Eirik Albrechtsen, JanHovden2010)
The paper clearly demonstrated that a collaborative discussion-based workshop approach can have significant benefits in increasing users’ awareness of IT security and practices. Further, the authors believe that the technique may be applicable to other areas because it was the methodology rather than specific content that caused the participants’ awareness to change.
The University of Washington (USA) has a useful Security Awareness training Powerpoint presentation which I’ve attached below.
Some approaches that could hold potential to increase the effectiveness of security awareness training are:
- Gamify the process. Create an immersive game environment, possibly based on an established format like Second Life or Minecraft, where the participants have to solve security related puzzles to progress through the game. The would be the traditional High scores and leaderboard, but with the added incentive that anyone completing the exercise with above a given (relatively high, but realistically attainable) score receives a small tangible reward.
- Use CBT (Computer Based Teaching / Training) to create a security awareness training course, using the interactive features available.
- Create a series of mobile apps, each covering one aspect of Security awareness in some depth.
- Create a series of You-tube videos, each also covering one aspect of Security awareness in some depth. With useful links in the comments section.
Informal training can be thought of as ‘being trained or learning something outside of a formal classroom or presentation setting’, or “learning without realizing that you’re learning”. This could be a regular get together to talk about security over lunch or coffee during the working day, or over drinks after work.
iwar.org.uk have a sample security awareness training programme document at: http://iwar.org.uk/comsec/resources/sa-tools/Security-Awareness-Program.pdf
a copy of it is attached below.
In their 2012 paper, Emilee Rader and colleagues ask
“How does the non-expert or inexperienced user learn about security?” This is an important question for the security community, because for these members of the general public there may be little or no opportunity to gather reliable information from an expert source. Such users may also be unaware of both the security threats, or if they have been subject to some sort of cyber attack, equally unaware of the nature or source of the attack. The answer would seem to be that they acquire their security awareness from equally non-expert users in the form of informal and/or anecdotal stories.
Surveys were conducted to discover the nature of these ‘stories’ and the effects of relying on such information. The correspondents were encouraged to write their stories out.
A total of 301 stories were received from the correspondents. They were found to be about actual security incidents which had taken place either to the correspondent or perhaps someone of their acquaintance. Many of the stories or anecdotes had been told and retold at least one or more times. The stories were broken down into a table of categories.
Pc Effects. The computer acted ‘strangely’ and it was assumed that a virus or similar was responsible. Breaking In Hacker or some other unauthorized person had gained access and been responsible for changing or interfering with some aspect of computer usage such as ‘facebook’. Viruses were also implicated in the ‘breaking in’ effect. Theft Personal information, money, or unauthorized use of credit cards to make online purchases. Also identity theft, hacking or Phishing scams. Instances in a nutshell where the original users had managed to lose something, usually without realizing the immediate consequences. Spam In this case, the user usually reported clicking on a link and consequently unleashing a Spam ‘attack’ which was perceived to spread to family and friends annoying more and more people on the way. Phishing These stories all involved requests for information on the computer Other Some of the stories were just too vague to categorize.
These ‘stories’ were usually heard and digested in an informal setting involving family and friends. Many of the respondents absorbed the stories, and ‘learnt’ lessons from the various anecdotes. There was, for instance, a general sentiment which emerged from the survey, that the Internet is ‘A dangerous place.’ The correspondents also reported that they felt that ‘anyone unknown to you on the internet can’t be trusted’. The correspondents also reported a general feeling that they would always be vulnerable no matter how much they attempted to secure their computers. A few correspondents were convinced that they could do nothing to protect themselves other than, ‘Hope that I don’t get hacked’.
Certain activities were seen as riskier than others. Shopping and giving away personal information were seen as high risk. After hearing some of the stories many correspondents reported that they were unwilling to risk some actions such as opening an unknown email, buying online, or sending for free samples.
To summarize, lessons were reported to be learned from stories, and behaviors were reportedly modified once the user had been alerted. It would seem therefore that informal telling and receipt of stories have the effect of making users more security conscious, even if they sometimes appear to grasp the wrong end of the concept.
(David J Dunmore – University of Bedfordshire 2013)
This article was originally posted on Peerlyst.