I loved the movie Inception when it came out. It had everything, a stellar cast, amazing visuals, a strong plot, and a twisted end that still has me wondering whether or not they were in a dream at the end.
The somewhat convoluted premise of the movie is that people can enter the dreams of others and plant a seed or a thought in there that will ultimately affect their decisions in the real world.
For example, if you read the phrase, “Don’t think of a pink elephant” – the first thing that pops into your mind is a pink elephant.
The point of bringing this all up is that the human mind is a strange thing. It is fiercely independent, yet can also be manipulated in subtle ways to do the bidding of others. It’s one of the reasons that phishing and in particular spear phishing emails are the most popular attack method for cyber criminals and nation-state actors.
Some people wrongly believe that security awareness and training is a wasted effort, and that effort is better placed in deploying technical controls. One of the problems with relying solely on that approach is best defined by the concept of risk compensation also known as the Peltzman affect, which states that people tend to adjust their behavior in response to the perceived level of risk.
For example, when seatbelts were introduced to cars, Peltzman predicted that this would lead to more pedestrian casualties because there was less risk to the driver, allowing them to engage in more risky behavior.
Of course, if you place a spike on the steering wheel of a car, you’ll change the behavior of the driver drastically.
Similarly, with more technical controls, gateway, network, endpoint, etc., users can end up being prone to engaging in more risky behavior by clicking on links that they shouldn’t, downloading malicious files, and so forth, all because of a misconception that the technology will defend against all actions.
Therefore, it is essential that to protect against this, users are trained to act in the interest of security and make better risk-based decisions.
Organisations don’t think… people think. Therefore, it is crucial to target people and their way of thinking, which ultimately will change their behavior. Policies are lovely, but policies alone won’t save an organization. It’s a human at the sharp end who in a moment in time will have to decide which course of action they want to take.
One good way to look at behavioural change is to step outside of infosec to see how other industries have been able to change the behaviour of people at large.
SUV car manufacturers have been pretty good at this. The number of 4x4s on the typical road far outweigh the number of drivers who need to navigate rough terrain or live on a farm.
Another great success story has been that of recycling. Ten or fifteen years ago, the awareness of recycling was low, and so was the behavior. But after years of campaigns, we can see every office and most households have a number of different bins into which people willingly separate out their rubbish. In fact, putting the wrong item in the wrong bin can be seen to be as uncivilized as putting your elbows on the dinner table.
Bad guys use similar tactics with social engineering when trying to break into an organization. We have all seen or experienced examples of where someone with a silver tongue has been able to manipulate another for their benefit.
It can be frustrating to the victim in these scenarios. Often times, people have buyer’s remorse after falling for the charms of a salesperson, or almost immediately regret clicking on a suspicious link.
So why is it that social engineers have more success than your average security awareness program? The simple reason is that the social engineer is only looking to circumvent your responses for a limited period of time. They just need you to hold that door open for them for 5 seconds, they only need you to click on that link once, they only want you to type in the password once.
Behvaioural change is an anti-social engineering tactic. We aren’t looking for a short-term fix, instead we’re looking for people to change how they view security fundamentally. Just like how we teach children to cross roads safely, it then becomes a habit for life.
In order to do this effectively, you need to stop thinking like a hacker and start thinking like a revolutionary. Consider long-term change and about forming habits. It’s not about telling people to not click a link if it meets a narrow set of parameters. Rather, equip them with the understanding and the framework so that they realise that clicking on the link can be like the butterfly effect – and potentially have a big impact.
There are four defined stages of competence:
- Unconscious incompetence - You’re bad at something and you don’t know you’re bad at it.
- Conscious incompetence - You’re bad at something, but you know you’re bad at it.
- Conscious competence - You’re good at something and you know it, but you need to invest conscious effort into achieving it.
- Unconscious competence - You are so good at something, it’s literally second nature.
Through security awareness training, the objective is to move through these layers and ideally to a state of conscious competence.
But before embarking on this journey, there are three acceptances that need to be understood by the security professional:
- Accept that security professionals may be the most knowledgeable on the topic, but they are rarely the best people to create a learning plan and be the teachers.
- Accept it’s a people issue – and no amount of technology will ever be enough.
- Accept it will take time – it’s a journey, not a destination
With that out of the way, actual security awareness and training need not be difficult. There are plenty of resources available. Find the ones that are most relevant and specific to your organization and your people. Also, take a look at what others have done outside of your industry.
Consistency is key – once a year PowerPoint presentations won’t achieve much.
Finally, measure how much you’re improving. One of the best ways is to test your users without any training, then provide training and re-test in frequent intervals. If the percentage of users falling for tests goes down, then you’re on the right path.
Before parting, I’d stress to make it simple and make it work for the people. This isn’t an opportunity to showcase your superior knowledge, it’s an opportunity to let people understand something. Martin Luther King had a dream, he didn’t have a 10-point plan that would only be successful once 33.9% of the population adopted it.