Do security awareness programs really work?

When was the last time you saw one or more members of the Police force patrolling the street where you live? In the last 20 years I have not seen a single police officer cruising along my street looking for crime in progress, even though crimes have occurred in one or more of those localities. So how do the Police deal with many of the crimes that occur? They can’t be everywhere… if they could there would be almost as many Police officers as there are civilians, which is not feasible.  The Police rely on civilians seeing a crime taking place and then reporting it.


The police force is far more effective because of humans providing incident detection and notification. Similarly, in your security defence strategies, you could also use some additional hands detecting and notifying you about cyber crime in progress within your organisation. You can’t be everywhere. You may have technology, but it is only going to see a fraction of the possible cyber crimes. Don’t limit the detection and response capabilities to just the IT or security teams; open it up and let others assist.police patrol crime detection


The problem of course is that almost everyone is able to detect a burglary in progress or a fight between two rival gangs in the street and pick up a phone and call the police; but they probably wouldn’t know the first thing about how to spot a phishing attack or whether a file contained a Trojan. This lack of ability to identify cyber crimes makes humans the weakest link in your organisation’s security defence, but they don’t need to be. This is where security awareness comes in.


But does security awareness work?

There are many debates about the topic of security awareness amongst security professionals. Even industry heavy weights such as Bruce Schneier have been known to say that money allocated for security awareness programs would be better spent elsewhere.


Some say it is absolutely necessary, even though tests have shown that the day following security awareness training as many as 90% still fell for a social engineering attack. Some say that even if 99 out of 100 people take active measures to stop a threat, all it takes is that one remaining individual to fall victim and the organisation is not better off; so why spend money knowing that there will always be at least one who simply doesn’t learn the lessons and will continue to fall victim to a threat?


So what is my take on this topical mine field? Is it a necessary evil or simply a waste of time and money? I tend to feel that security awareness programs do not work, but…


Could security awareness work with a different approach?

I believe that security awareness programs do not work because we are taking the wrong approach.


What is needed is an approach that encompasses security awareness and takes it a lot further – development of a security culture program.

For a security culture program to be successful, every person within your organisation needs to participate, but therein lies the biggest challenge. How can you entice the entire organisation to voluntarily participate? How can you get people each with different backgrounds, skill sets and motivations all actively playing a role in your security culture program?


The answer is hidden within a quote from Orson Wells:


“I can think of nothing that an audience won’t understand. The only problem is to interest them; once they are interested, they understand anything in the world.”


Garner interest in security

Psychologists have identified through numerous studies regardless of what it is you are trying to promote that people are more interested about what is in it for them rather than how it benefits you, so you need to use this facet of human behaviour to your advantage. Get people interested and they will do almost anything in return. It’s called reciprocity and is better known as “give, and you shall receive”.


Here are some tips to get your organisation interested in being part of a security culture program:


Stop speaking in bits and bytes

Have you ever tried to gain an interest in a conversation between two people who were speaking a language you don’t understand? It’s next to impossible. Though you may be attentive at first, your mind eventually wanders and focuses on that which you can understand. It is a chicken and egg thing. We need to be able to understand to gain interest, but we also need interest to want to understand. The message here is to stop speaking information technology and security jargon to those who can’t understand it. The languages everyone understands and could possible develop some interest in are “risk” and “money”. Think about it – we are all versed in risk. We use it to decide when to cross a road, contemplating whether to speed when late for an appointment, if we should get married to someone, or whether to buck a trend or tradition and try something different and new. Though some of us may have very little of it and some may be rolling in it, money is one of those staples in life that we all have some understanding of and interest in. We can understand what it means when we don’t have it, hence relating lack of security to the loss of money or the enhancement of security to an increase in the amount of money is simpler to comprehend and will keep interest levels high.


Deliver from the heart

Be enthusiastic about developing a security culture program. If you give off vibes that a successful security culture program is trying to achieve the impossible, or worse still, that it is simply just a tick the box exercise to achieve compliance or achieve KPIs, it will show. If you are disinterested, others will see this and also display a similar lack of interest. Think of a security culture program as being like a candle. As long as the candle burns brightly, the program will continue. Enthusiasm and passion are essential to fuel the fire. Enthusiasm and passion are also infectious so make sure you have a surplus of each.


Empower the enthusiastic to promote your program

Have you noticed that in every organisation there is always someone who is willing to wear one of those goofy fire warden hats and help people evacuate the building during a fire drill, or in a real emergency, should one occur? I’m sure these people do not have some kind of crazy fetish for wearing fire warden hats, so how can one explain their eagerness to volunteer as fire wardens? These are people that want to take on more responsibility and have concern for the well-being of others, and the organisation. Have you ever performed a small and simple action that helped someone else immensely that left you feeling warm and glowing on the inside? A so called “Good Samaritan” act? These are people that feel a sense of achievement and satisfaction knowing that they have helped another person, and people like this who are already enthusiastic and want to volunteer are the people you need to help drive and promote your security culture program. These might be your power users, who use the computer a lot outside of work or they may be users who are techno-phobic but have an interest in crime fighting mystery novels, and want to test some of the much loved sleuth techniques from their readings. In any case, these people are already motivated to join in, so half of the job is done. Welcome these people to participate with open arms.


Empathising with the laggards

For the rest of the organisation that would rather march to a cliff face… and then dive off, like lemmings, rather than participate, you need to appeal to interests that they care about. Remember, humans are wired to unconsciously ask, what is in it for me? Every person will have one or both of these interests: Protecting their families from cyber criminals or protecting their finances from cyber criminals. Run lunch and learn sessions or webinars that educate users on these areas first and then you will be able to draw upon similarities to protecting your organisation’s information. Why lunch and learn sessions? Firstly, food is a good way of enticing people to participate. They feel, even if they wasted their time, at least they got a free feed. Secondly, it does not give them an excuse to use workload as a scape goat. Only those who genuinely were on leave at the time or had a lunch with a client booked weeks in advance should have a legitimate excuse.  You may need to run several of the same sessions to cater for those who couldn’t make a previous session due to prior engagements or when you have a large user base to cover. Do not have more than 16 in a session. Make sure the room you use does not invite too many distractions, like a huge window facing a busy harbour, for instance. Keep your sessions small, manageable and distraction free to foster the best possible environment for learning. This is far more difficult for webinar sessions, so you may need to break these up into shorter sessions and have really engaging content in such cases.


The power of appreciation

Once the interest has been developed, then we can approach the understanding component. This is where most organisations struggle and give up on those that show a lack of understanding. It is easy to say “we taught them once; they didn’t learn, that’s their problem”. In fact it is your problem. For each person that doesn’t learn and doesn’t participate, it only comes back to bite you. This is the fundamental reason why security awareness fails. Security awareness needs to be replaced by security appreciation.


wine appreciation and security appreciationAppreciation couples learning with experience, so let’s look at a non security related example to see how much more powerful appreciation is over awareness: With numerous former colleagues and business partners I have attended many wine tasting sessions. Wine tasting sessions are good because they encourage wine appreciation; not wine awareness. Imagine if you could only look at the bottle and not taste the wine? Could you appreciate the flavours and the textures? Would you know which wine was best with the roast duck, or which wine complemented an exquisite seafood dinner? Would you be able to decide which wine you liked most simply by looking at a bottle and listening to someone else tell you what it was like? Of course not. The problem is, I went away from every one of these sessions not remembering which wine was which! I have a good memory, so what went wrong?


I don’t drink alcohol.


For others, this was wine appreciation; for me, it was wine awareness. Appreciation comes from doing; awareness comes from knowing. Had I experienced the taste, I would have remembered a lot more about the various wines. The former is far more powerful than the latter. By doing, we push what we experienced into our longer term memories, otherwise that knowledge stays in our short term memories and fades away quickly. No wonder security awareness programs fail.


To help people understand and appreciate security, here are some useful tips:


Not everyone learns the same way

Provide various different mechanisms for users to learn. Some learn better by reading; some need videos; some need to be alone to absorb material; some are better in a group; some learn by example; some will learn quickly; others will need multiple lessons to learn even the most basic of concepts. Use stories rather than statistics, and above all make sure the learning sessions are interactive. Give people the experience of security gone wrong and contrast it with security done the right way. Some of my favourites are to show:

  • how easy it is to crack a password;
  • how easy it is to download and install malware;
  • how easy it is to obtain information simply by asking; and
  • how easy it is to find information about people through Social Media


Grey matter sometimes fails us

Even when people have actively participated in a security appreciation program, people do forget things; that’s just part of human nature, but they can be reminded. Provide ongoing security tips and progress updates about your security culture program through various means – on the intranet site, in emails, on login banners to legacy applications, on policy splash pages when accessing the Internet, at company-wide meetings and on posters throughout the buildings. Make case studies out of the good work that your organisation is doing. Progress helps keep people involved and motivated.


Blowing the whistle

Almost everybody hates a snitch, even if the intent was well meant. There is a good reason the FBI has a witness protection program. You don’t need anything as sophisticated, but you do need to provide a means for users who witness suspicious activity or evidence of insider threats to be able to report these anonymously or secretly. Providing a means for reporting of incidents in this manner does not raise any alarms, allowing you to validate and perhaps even catch wrong doers in the act; and also reduces the likelihood of uneasy working conditions being created for “snitches”.


Pardon the ignorant

Provide a no blame policy to allow for those that were ignorant of wrong doing, prior to  the introduction of your security culture program to be able to discretely come forward and admit to their wrong doing. For example, they may have been inadvertently leaking corporate data to outsiders. Knowing that admission of guilt would mean instant termination is daunting, so a policy of allowing people to admit to prior mistakes made through ignorance without loss of job is important. What is equally important is to monitor these people closely in the future so as to ascertain whether the wrong doing was through ignorance or whether this is a “get out of jail” tactic to continue wrong doing that had always been done knowingly, and with malicious intent.


Reciprocity at its best

Provide rewards for individuals that do good work in promoting or exercising your security culture program. It doesn’t need to be the Nobel Prize, or a huge increase in salary. Often a gift voucher of some small nominal value is all it takes to make a statement that you recognise and appreciate their active participation. Remember reciprocity? If they appreciate the security of your organisation, it is returning the favour and showing you appreciate their efforts.



Security awareness programs are dead

Security culture is the answer and security appreciation forms a strategic part of the program. Like a wine, security needs to be appreciated – experience it and get a taste for it; do not just learn about it, because knowledge gained through awareness fades. Also like a wine, which gets better with age, a security culture program will get better with age. But age can not come about unless you get started. The first step is to display interest and enthusiasm and others will follow. For those that need more encouragement, appeal to their interests and then share your interests. Once interest has been attained, understanding will follow. Once understanding has been attained, you are well on your way to having a cyber security culture that will move humans from the weakest link in your security defences to the strongest.

If you enjoyed this article, please consider leaving a comment

Andrew Bycroft

One of Asia Pacific's pre-eminent security advisors and consultants, Andrew likes to challenge the status quo, giving cyber security advice and developing solutions that are bold, functional, and nothing less than a work of art.

About Andrew Bycroft

One of Asia Pacific's pre-eminent security advisors and consultants, Andrew likes to challenge the status quo, giving cyber security advice and developing solutions that are bold, functional, and nothing less than a work of art.

Leave a comment