5 myths about awareness

Lance Spitzner of SANS Securing the Human program outlines five common misconceptions about security awareness programs

I'm often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong.

1. Training does not work

I often hear people say: "Awareness does not work. I have never seen an awareness program actually change people's behavior."

To be honest, I have to agree with this statement. Most awareness programs in the past have failed to change behavior. However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested.

[3 reasons why employees don't follow the rules]

These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter.

For an awareness program to effectively change behavior, you need to create a program that is designed from the ground up to change behavior.

2. It's not worth it because someone will still mess up

People tell me that awareness is a failure; that no matter how much you train people, there is always a small group of people that will still fall victim. Folks, security is all about reducing risk, not eliminating it.

Awareness is nothing more than another security control. Why people hold awareness to a different standard is something I'll never understand. Awareness is no different than encryption, firewalls or intrusion detection. However, with awareness, you can get a tremendous return on your investment, in many cases reducing up to 95 percent of the human risk, according to measurements taken in phishing tests. Show me any other control that will get you that type of ROI.

3. People already know what to do

I've read interesting reports from academics that say people already know what secure behaviors to follow, they just choose not to follow them.

Wow, where are these people getting their data? With the organizations I work with, not only do people usually have no idea what secure behaviors they should follow, but they are also hungry to learn. They know there are bad guys online, but they don't know what to do to protect themselves from them. The problem is not the people. The problem is that we are not effectively training them. What is the number-one thing that, in my experience, people did not know? They had no idea that keeping operating systems and applications current was critical to keeping their computers and mobile devices secure.

[Maybe you shouldn't train employees for security awareness?]

4. It's all about prevention

When people discuss awareness, they usually focus on just prevention --they're trying to implement the idea of the "human firewall." While prevention is important, why limit ourselves? Why not train people to become human sensors as well?

Teach workers the indicators of a compromise and have them report potential incidents. For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then.

5. It's simple

Many people I work with assume that creating an awareness program is simple. If your only goal is compliance, then yes, awareness programs are simple. But if you want to effectively reduce risk by changing human behavior, you need to have a plan. Specifically, you need to identify who you are targeting in your program, what changes in behavior reduce the greatest risks to your organization, and how you will engage and communicate those changes in behaviors.

One of the most common obstacles to effective awareness programs that I see at companies is that they do not know where to begin. You can find a complete set of free planning resources developed by the community, for the community, on the SANS Securing the Human website, which includes a poster that documents each step to take and provides all the templates and checklists you need to build your program.

I'm a huge fan of awareness, and I have seen the tremendous impact it can have. However, until we as a community start securing the Human OS, the bad guys will continue to have it easy. Technology alone can only go so far.

Lance Spitzner is the training director for the SANS Securing the Human Program.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about LanceTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lance Spitzner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts