By Sarb Sembhi
If current user awareness is still relevant today, why is every security event full of CISOs complaining about users or passwords? After 20 years of user awareness, discussing passwords, and not clicking on links in emails the security industry is still talking about these as if they are new requirements. Where are the results which prove that the current model has worked, and will continue to work?
What is wrong with the current model?
The current model was for yesteryear not for today and it certainly is not fit for purpose for tomorrow. Here are some of the reasons that make it unfit for purpose to continue to use it in the way it has been.
1. The world view of the current model is inadequate for today’s requirements
The traditional model for user awareness is based on the users having 90 percent of their usage and computing behavior developed in the workplace. This is no longer true today as the total time employees spend on a computing device / online at work may amount to 30 percent or less. This means employee behavior is more likely to be as a result of what they do and how they do outside of work.
Although the existing model relies on changing employee behavior during work time the reality is the other way around now.
2. The user awareness model of changing behavior is flawed
Marketing training and books often state that it takes 15-20 views of a single ad before it invokes action. Public awareness campaigns often assume years of promotion; however, many have often been backed by legislation with advertising before and after. Examples of these include, wearing seatbelts, drunk drive, use of mobile phones whilst driving, etc.
The advertising profession has shown that it is unreasonable to expect any action from individuals by showing them a message less than 15-20 times over a short period of time. User awareness programs cram and fire out several key messages throughout the year.
3. The current model assumes it is the sole provider of security information
Any service or project that is implemented as if it has a monopoly on providing that service but falls short of providing it, is going to fail both the user and by itself. Providing security information is not, and should not, be the sole responsibility of the enterprise. Enterprises of all sizes are responsible for their role in educating users, but the program should not be the only source of information.
4. Vendor resources are not utilized or leveraged adequately
Enterprises invest in lots of tools from vendors on everything from anti-malware, to threat intelligence to firewalls, email filtering, etc. Almost every single vendor allocates funding to produce resources, most of them would be happy to produce resources for users.
5. The focus of impact are only the enterprise’s priorities
Most user awareness programs focus on mandatory regulatory topics and the current flavor of the month for the top threat. A wider approach would work better, e.g. the success of cybercrime has led to its increase, so to not include the reduction of cybercrime as an objective is a mistake, as it would to not focus on what users want to, or need to learn, to encourage them to learn about protection independently.
6. User awareness topics and resources often lead to negative follow-on conversations
For example, the most common conversation about GDPR after training is: “What a big pain it is having to work on it, with it, around it,” etc. If GDPR is taught well, it could lead to continuous conversations about the rights of individuals and whether or not the enterprise is respecting them. Positive conversations are more likely to extend to contacts outside the enterprise where people have a real and meaningful dialogue. Conversations which extend beyond the enterprise may lead to further dialogue within the enterprise on practices and processes. All effectively covered topics should lead to extended discussions beyond the training.
7. The lack of leading research into what works or works well
When it comes to risk, enterprises can refer to frameworks and standards for reference and determine what should be included and what may or may not work for the enterprise. There is a lack of quality research challenging user awareness. Information and articles are mostly self-perpetuating the current model (to sell more services), rather than challenging it. Most user awareness approaches tend to impart lots of messages in the cheapest and quickest way possible, and in the least number of times possible, but without research on whether it is an effective approach.
8. The concept of the user as a control is limited due to the model’s narrow view of the world
Most users are non-malicious, responsible and conscientious about getting their work completed to keep their job (and perhaps develop a career). In theory, due to their good intentions, most employees should be excellent at taking all actions necessary to restrict malicious acts, actions, and consequences. In practice, most employees have more work than the time available to do it. This means they need to develop skills to skim read everything, even when they open fraudulent emails and links to vulnerable websites.
The requirement for employees to develop skills to achieve results are in contradiction to those taught in awareness training, and thus leaves employees as unreliable control mechanisms to limit mistaken clickthrough’s. Employees cannot be alert and vigilant at all times, especially when they are given demanding workloads.
9. Right tool for the right job
User awareness is a tool, and experts often recommend using the right tool for the right job. The unexplored questions are: What is the correct job for user awareness? What should it be used for and why? Is it the only tool that should be considered for the job?
If the tool that enterprises are using (user awareness) to change behavior is flawed because of the way it is deployed in the enterprise, then should it still be used?
10. Where users spend their online time and develop their lasting behavior habits
Twenty years ago, employee time on the Internet for work was research related rather than personal browsing. At home, they probably had one connected device for the whole household. Since then mobile phones, tablets, and other devices have come into our work and home lives. Today’s households may have at least one but up to three or more devices per person.
People are not only connecting more devices and doing more on the internet, but they are spending more time online out of work than at work. Today, employees may spend 30 percent or less time online at work and 70 percent of online time outside of work.
The behavior habits of employees are being formed outside of work, and then brought into the workplace. Since they can form these habits uninhibited and uncontrolled, these are the habits that are likely to stick with them more permanently.
11. Threat and risk behaviors outside of work will be brought into work
Employees often trust the security of their work environment more than their home environment; consequently, they were happier to do their personal online banking at the workplace. As smart devices can be connected to any wireless network anywhere, people have connected to them anywhere, and do not worry enough about security and the threats that they may be exposing themselves to. There are several mistaken beliefs behind this, including the thought that they don’t have anything criminals would want. This has had the effect of people connecting to anything and accessing anything, because the harm may not be apparent, immediately.
The threat of oblivious employee behavior outside of work reflects their behavior at work.
12. Devices, connections and interconnectivity
The threats are compounded by the recent onslaught of new consumables—the health, home and surveillance devices and services now available. The media has highlighted several examples of the lack of basic security in many devices with little impact on sales of those devices. With the average home expecting to have around 30-80 connected devices in the next few years, there are concerns that secure devices are made vulnerable by other vulnerable devices.
The habits that people form when purchasing, installing and using these new devices will form the basis of how they respond to and deal with new technologies at work–this is apparent in the reports of shadow IT in the workplace.
13. Defenses required to stay safe
The defense mechanisms people needed to stay safe and secure 20 years ago were just an anti-malware package. This is not true today where people need so much more, not only due to the vast range of devices that they will misconfigure for their home network but also because organized crime has realized that cybercrime is more profitable than other forms of crime.
Devices and the threats in the home have increased, but education and prevention tools have not. Therefore, employees working from home may be exposing their devices to more threats than ever.
14. Metrics for User awareness
Articles on user awareness do not consider it as a tool for the job. If it is not the right tool for all that it is used for, then is the metric still relevant?
When your only tool is a hammer and the only metric you have is how well you’ve hammered something into something else, should you not be re-examining the situation to redefine the response required and additional tools required for the toolbox?
15. Metrics obsession have driven vendors into dumbing down
The obsession CISOs have with metrics and in using them is well known. When a vendor has approached them with good solutions that don’t check the traditional user awareness box, or the related metrics for it, the vendor has had to dumb down their product and services to make them saleable. This drives market innovation down, not up, and will continue to do so unless the model changes.
Insanity is to keep doing the same things and expecting different results. User awareness models have duped the security industry into believing that it is the only tool for the only job that needs to be done.
User awareness training models used 20 years ago, when users spent all their online time at work, could have achieved the behavior changes required from the training. But today, when a majority of the time spent online, and online habits are likely to be developed outside of the work environment, user awareness on its own is not going to achieve the desired behavior changes required by regulators and legislation.
We need an alternative approach which incorporates the way that the world, devices, e-commerce, the internet, people and people lives have changed over the last 20 years, and one that tries to foresee upcoming developments.
With inputs from Sarah Janes, Director Layer8 Limited, Liz Fenton, Director Urban IQ Limited, and Flavius Plesu, CEO OutThink Limited.
Sarb Sembhi CISM is the founder of Security2Live and CTO & CISO of Virtually Informed.