I'm often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong.
1. Training does not work
I often hear people say: "Awareness does not work. I have never seen an awareness program actually change people's behavior."
To be honest, I have to agree with this statement. Most awareness programs in the past have failed to change behavior. However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested.
These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter.
For an awareness program to effectively change behavior, you need to create a program that is designed from the ground up to change behavior.
2. It's not worth it because someone will still mess up
People tell me that awareness is a failure; that no matter how much you train people, there is always a small group of people that will still fall victim. Folks, security is all about reducing risk, not eliminating it.
Awareness is nothing more than another security control. Why people hold awareness to a different standard is something I'll never understand. Awareness is no different than encryption, firewalls or intrusion detection. However, with awareness, you can get a tremendous return on your investment, in many cases reducing up to 95 percent of the human risk, according to measurements taken in phishing tests. Show me any other control that will get you that type of ROI.
3. People already know what to do
I've read interesting reports from academics that say people already know what secure behaviors to follow, they just choose not to follow them.
Wow, where are these people getting their data? With the organizations I work with, not only do people usually have no idea what secure behaviors they should follow, but they are also hungry to learn. They know there are bad guys online, but they don't know what to do to protect themselves from them. The problem is not the people. The problem is that we are not effectively training them. What is the number-one thing that, in my experience, people did not know? They had no idea that keeping operating systems and applications current was critical to keeping their computers and mobile devices secure.
4. It's all about prevention
When people discuss awareness, they usually focus on just prevention --they're trying to implement the idea of the "human firewall." While prevention is important, why limit ourselves? Why not train people to become human sensors as well?
Teach workers the indicators of a compromise and have them report potential incidents. For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then.
5. It's simple
Many people I work with assume that creating an awareness program is simple. If your only goal is compliance, then yes, awareness programs are simple. But if you want to effectively reduce risk by changing human behavior, you need to have a plan. Specifically, you need to identify who you are targeting in your program, what changes in behavior reduce the greatest risks to your organization, and how you will engage and communicate those changes in behaviors.
One of the most common obstacles to effective awareness programs that I see at companies is that they do not know where to begin. You can find a complete set of free planning resources developed by the community, for the community, on the SANS Securing the Human website, which includes a poster that documents each step to take and provides all the templates and checklists you need to build your program.
I'm a huge fan of awareness, and I have seen the tremendous impact it can have. However, until we as a community start securing the Human OS, the bad guys will continue to have it easy. Technology alone can only go so far.
Lance Spitzner is the training director for the SANS Securing the Human Program.