Today I will not provide you with another chapter from my book draft but talk about a topic that fascinates me since some time.
Awareness trainings are the neglected pillar of cybersecurity, especially when a CISO has a strong technical background, like I have. When I think about cybersecurity I think about SECURITY people that follow SECURITY processes and policies which are implemented with SECURITY tools, because as security engineer I learnt over many years how to to solve problems with algorithms, compilers, and machines. During my career the number of people I was responsible for increased a lot and at the same time these people are less and less IT-aware.
Maybe you know this path and thinking, then I would recommend you to take a look into the event logs of a virus scanning tool or intrusion prevention system. Funny, but 99,99% of the events are caused through people! And what happens outside your infrastructure, or by "out of bound" attacks to circumvent detection systems (e-mail vs social media)?
So, there is no reason to build thicker walls to protect the people, instead help your colleagues to protect themselves.
Don't tell them what not to do, but tell them what works to protect them.
Building a security awareness program is like building a vulnerability management program for people. (little joke) It makes a lot of sense to put the majority of your effort into the planning phase to get the ground work right and not just rent a of-the-shelf information security training e-learning program that every employee has to go through once a year. For compliance reason that might make sense, but personally I always challenged myself in being faster than last time clicking through such trainings and never fully followed the content. Maybe I was not the only one.
For me the following steps worked well to define a awareness training that just fits. So far I don't have long-term data to share but will do so later.
1.) What are your goals?
What would you like to achieve with the training? Like, an improved security posture for the company. Reaching every employee at least once a year. Teaching what matters. But also fulfilling compliance requirements.
How should employees perceive the training? Like, it should fit their daily work and their tight schedule.
2.) What is the threat landscape of your company?
While the goals are the governing framework of how to teach and how to measure, this question will lead us to the "What" - the content of the training.
Your threat landscape is build of requirements which come from 3 directions:
- Compliance: PCI-DSS, your cyber insurance, data protection law, contractual requirements, and so on
- Crown jewels: The critical business processes, that are essential to make money and if disrupted or stolen brings your company's income to 0 very quickly
- Adversary interest or intent: like copying the recipe of a vaccine, causing reputational damage to get a competitive advantage, mass spreading ransomware (which makes you just a random victim), stealing company budget with BEC...
Don't limit your view to cyber, talk to your enterprise risk manager (ERM), business continuity management (BCM) team, or to the C-level managers to get a complete view.
BTW. to quantify the "How" of attack vectors and the "How" of the amount of cost the
Data Breach Report from IBM is a very good source.
3.) Adversary personas
To further define the "What" we need to dig deeper into the adversary interest. Here you can let your creativity run (almost) free.
I would assume that most companies are not the daily target of nation-sate actors. Nevertheless if you are part of an international company think about subsidiaries close to governments known for their cyberattack capabilities and their strong cybercrime scene, like North Korea, China, Iran, Russia, and also the USA and some NATO partner states. Your subsidiary might become of interest if you transfer a lot of money world-wide, have huge Internet outlets or knots, doing research, being political engaged, or are the top vendor for a key technology (this often affects SME here in Germany).
But as I said, don't let your creativity fly too high and lose ground.
Talk to ERM and the legal department to better understand the history of your business risks.
The corporate (cyber)crime aims to get a competitive advantage not just by stealing money but also by damaging your company's reputation.
If you are responsible for the cybersecurity of a University your adversary persona might look out for details of upcoming exams or wants to change grades.
What is mostly ignored is the insider threat, either intentionally or accidentally. If I sum up the categories of the root causes for malicious data breaches from the IBM Data Breach Report where employees are the target or the actor, than I get 29%. 1/3 of all data breaches are caused by employees, either directly or indirectly. And this number does not count people leaving the company, starting at a competitor and taking secret business information with them!
The term "persona" is from the UX design domain as far as I know, and we will use it that way later for the employees. For the adversary I recommend using the "diamond model" (see my blog post "
Terminology, Frameworks and Standards - Part 2"). By using this model you have the ability to bring the intent and the technology used together on the "social-political axis" and the "technology axis".
4.) What topics to teach?
Now you know what your threats are, these are the topics to teach.
5.) How to measure success?
I am sure you know the quote "You can't manage what you can't measure" (the author is unknown as far as I know), anyway before you start your awareness campaign make sure you have a good way to measure your impact to the people of the company.
For example if you came to the conclusion that ransomware is a big issue for you ("What to teach") than you should be able to analyze the antivirus scanner, endpoint detection agent, IPS, web-proxy blacklist, etc etc log files to see if the number of detected malware decreases (this value needs to be normalized to the overall malware volume).
If your topic is Phishing, run a simulated phishing campaign and measure the "click rates".
I think you got it.
6.) Employee personas
To understand the people you need to protect send special questionnaires about age, gender, interest, work style and work tools etc to the line managers of your company to get a better understanding.
If we stick to the analogy of having a "vulnerability management program for people", then this is your asset database. :-)
Create personas for your leadership team, blue collar workers, marketing personal, the HR department and so on (check the org-chart). These are your "fishes" and the "bait" has to be tasty for the "fish" not for the "fisher" (you).
7.) How to teach the topics?
Think about which kind of training best fits the employee personas you just generated. Of course you still can do the yearly information security training for compliance reasons if you have to but to really reach out and change something, create content and use channels that fit your colleagues:
- ad-hoc e-mails for critical and hot topics
- 1:1 training for members of the executive board
- 2 to 5 minute videos for blue collar workers
- fancy comic style one pagers for the marketing people
- short checklists with easy language for Boomers, finance, purchasing
- games for ...
- and deep technical training for IT staff
Tell your colleagues always why there is a problem and not only what to do and not to do.
8.) And finally the awareness training content
With all the information you gathered in the previous steps you have the puzzle pieces to create the training material that just fits!