Does Security Awareness Work?
According to the Verizon 2018 Data Breach Report, 93% of data breaches are linked to phishing or social engineering. With stats like that, you would think cybersecurity awareness would be a top priority for organizations. However, there have been some cybersecurity professionals who claim that awareness is not effective and won’t change individual behavior. I disagree with their pessimism, human behavior can be changed. In fact, advertisers pay millions of dollars for a super bowl ad just to get people to change their behavior.
Typically, negative opinions come from the experience of ineffective cybersecurity awareness programs. Yet, we need to realize that not all programs are the same and that there is a spectrum of maturity for cybersecurity awareness programs. The SANS Institute recognized this and developed their Security Awareness Maturity Model that has five levels of maturity in implementing security awareness. Their model has been copywritten but aligns to Capability Maturity Model Integration (CMMI) or the Control Objectives for Information and related Technology (COBIT) maturity model. It is not clear why they created a redundant scale when an industry standard was already available and used in practice.
There is also a correlation between the level of risk your organization has to cyber-attack and an organization’s maturity level when it comes to cybersecurity awareness programs. The organizations with more mature programs are at a lower risk. Likewise, nonexistent or immature programs put organizations at high risk. As with any spectrum, there is a multiple of levels between the extremes.
Organizations on the lowest maturity level are organizations that do not have a cybersecurity awareness program. Organizations at this level are at a high level of risk that an employee will become a victim of social engineering. People will click on a link to malicious code or respond to a phishing email. At that point the employee has unwittingly introduced the hacker’s malware to the organizations network. Once hackers have infiltrated the network the organization is at their mercy.
The next level up in maturity involves organizations that are in an initial stage of a program. This is done ad hoc or with the mentality that security awareness is needed to check a box. Such compliance focused organizations are often simply going through the motions and awareness is not becoming part of the organization’s corporate culture. While the risk is less than organizations with no cybersecurity awareness programs it is still high because staff has not bought into the fact that security is important. To move out of this level management needs to set the tone at the top. Not a tone of compliance or checking a box, but one of change.
The next two levels proceed up the maturity spectrum where the program is documented by policy and enforced by management. Employees become aware and start curbing dangerous behaviors. Compliance is not the goal at these higher levels, reduced risk of cyber-attack is the driving force. Often management does not “see the light” until an incident has happened. Once an organization is hit by a social engineering attack that leads to a breach, management finds religion and cybersecurity awareness programs are finally established or get the support and budget necessary. Some industry reports indicate that operations and finance are often the departments holding back the program. This is why it is important to have executive management pursue or champion a cybersecurity awareness program.
The highest level is when the organizations track metrics and add quality assurance to the process. At this level the organization checks the effectiveness of cybersecurity awareness efforts by testing staff with simulated social attacks. The results of the testing are then used as an input for program improvement. The idea that the program should evolve over time is essential as hackers adapt their tactics over time and organizations need to adapt as well.
The human firewall, as it is often called, is a vital control in a layered approach to cybersecurity. Just like links in armor overlap to provide redundant protection, so too do controls like cybersecurity awareness work in tandem with other technical controls, creating an organization more resilient against cyber-attacks. If lowering the risk to your organization is important, then addressing social engineering is a must. We need to strengthen the human firewall and not treat security awareness as if it is a box that needs to be checked.
Where are you on the spectrum of cybersecurity awareness?