I recently came across an article that pronounced security awareness efforts to be a complete and total waste of time. The author insisted that awareness efforts have no real value and that the true path to information protection lies in the advancement of technical security controls. Needless to say, I vehemently disagree with this perspective.
While security awareness and training programs, as implemented today, do indeed meet with limited success, this does not invalidate their use. In fact, when one examines the key reasons why contemporary security awareness and training programs fail, it has more to do with the foundations they are built on and the manner in which they are carried out.
The Top 10 Reasons Security Awareness and Training Programs Fail:
1. Failure to engage executives in establishing risk tolerance levels: One thing I see time and time again is a security approach that is based on assumed levels of risk acceptance determined at a middle-management level, on some sort of idealistic ‘best practice’ model ; or worse yet – a strictly compliance-based program. The truth is, information security is a risk management issue that requires executive involvement. It is crucial that the executive team be engaged to determine the level of risk that is and/or is not acceptable to the company (more on this in an upcoming article).
2. Executive level visibility, support, and enforcement: There is a lot to this topic, but in essence it all boils down to setting the ‘tone from the top’ and leading by example. This is primarily an issue of corporate culture – of core values and beliefs (more in this below). It’s about changing patterns of behavior to be consistent with the security goals of the organization. If employees don’t see security being taken seriously by upper management, how can they be expected to take security matters seriously themselves?
3. Misalignment between business and security goals: I’d also add that misalignment between information security, privacy, compliancy, and general risk management goals are also at issue here. Some of this can be addressed by dealing with the issues identified above, but well-defined security goals and objectives should be an outcome of the executive engagement process and the involvement of senior leadership. These goals need to be consistent with what the business wants and needs, as well as the risk management portfolio of the organization. A security program that stands alone is doomed to fail.
4. Lack of a cohesive organizational security strategy: Information security is a strategic risk management issue for organizations of all types and sizes. Many times however, there is not a comprehensive, cohesive security strategy in place from which clarity and consistency can be drawn. Unless security awareness and training is considered as part of a more holistic defense-in-depth security model it will never have the legitimacy required for organizational adoption.
5. Poorly defined security policies and other written resources: This is a big one – and the one I see as the biggest failure of most organizations. In past articles I’ve spoken (both seriously and humorously) about adopting a ‘For Dummies’ approach to writing security policies. The main problem is, most security policies are written to read like legal documents and are more about keeping the company out of trouble than they are about providing information or influencing a change in behavior. By simplifying the policies, standards, guidelines, and procedures that we expect our users to follow; and making them more accessible to people, the more likely they are to actually read, understand, and apply them.
6. Poor availability of useful guidance, materials, and security support: I am a firm believer that most people want to do the right thing when it comes to information security. Often they just don’t know what the ‘right thing’ is in a given situation. Even if the policies are clear and useful, they need to be made available in an easy to use, on-line format, in a centralized manner. In addition to posting the core policies and other materials, generating short ‘how to’ documents, offering Q&A information, and including contact information are all essential. People need to know where to go – and who to talk to if they have questions or need help.
7. An organizational culture that does not emphasize the value of information: I’ve already alluded to this above, but it’s a topic of such importance that it needs repeating in a slightly different manner. An effective information security awareness and training program is all about ‘changing the hearts and minds’ of employees, business partners, customers, etc. This may sound a little over done, but the reality is, all good security programs have elements that are deeply embedded in the corporate culture of the organization. Information has value – and anyone coming into contact with that information must understand its value, why it is valuable, and why it must be protected. We want to create behaviors that are consistent with our security goals – this is done at a cultural level.
8. Deep emphasis on technical controls without considering the human factor: This goes back to the issue of having a holistic security strategy in place, but it’s also representative of systemic problem within the security community that we must address. In the article I mentioned in the introduction, I discussed the view that a heavy investment in security technologies is often presumed to be the be-all-end-all of security controls. This is a deeply flawed concept – and an extremely dangerous one for any organization to consider adopting (although it is sadly the standard model applied in many places). Security technologies cannot keep pace with attackers – this has been true for quite some time now. Relying solely on security technologies is also extremely costly – you’ll never have the funds to cover all of your bases – never!
9. Limited visibility into security metrics and measures to indicate success: Attributing the value of a protective control is often difficult to do. Especially when measuring the impact of security awareness and training initiatives. It’s even more difficult to do if you don’t have any mechanism in place for measuring success. Again, this is one of those things that very few organizations place any degree of emphasis on, but is vital to properly protecting and organization’s information assets. As a challenge to the article that inspired me to write this post – I’d like to see the data that advocates their position. It’s my experience that this data cannot be produced because it’s not actually being measured properly.
10. Failure to create an interesting and engaging security awareness experience: Most of the security awareness materials I see produced are sad at best. A few corporate e-mails, perhaps a slide deck, maybe even a cheesy video or on-line training tool. None of these things work because they fail to actively engage the participant. In order to create sustained patterns of desired behavior, it is essential that individuals be immersed in the material – not just your security expectations, but WHY those security expectations have been put in place to begin with. The why is far more important than the ‘what’ or the ‘how’ – without explaining the why, there is no interest, no ownership, no engagement. Knowing WHY also enables individuals to more selectively apply proper security controls based on their unique circumstances, rather than just ignoring inflexible requirement all-together… but that’s a different topic for another day.
There are many other issues that will influence the effectiveness of a security awareness and training program – like categorizing user groups, creating targeted materials, using effective training techniques, etc. But these are all secondary to the critical issue of having a solid security foundation in place to begin with. If you simply try to jump from ‘we sort of have a security program’ to ‘now let’s do this awareness thing by sending out a monthly e-mail’ then you shouldn’t be surprised that no one knows anything about security within your organization. No one cares because they have no reason to do so – no resources to enable them, and one to turn to when they need support.
Anyone who limits their concept of security awareness and training to things like posters, blanket e-mails, and cool looking mouse pads will most certainly fail. While these are common methods for encouraging awareness, they do nothing to actively engage the user constituency in the process of security. Active engagement and a well-built foundation are the keys to success.
To say that security awareness and training is a waste of time and money is simply untrue. It is actually the most effective and cost-effective security control you can put in place! And that is a simple fact!