At the beginning of the 21st century, information security was in a deplorable state. Research published in 2001...
by the Honeynet Project demonstrated that the life expectancy of default computer builds was measured in hours, if not minutes. Computers had little if any security. By default, most had multiple services turned on, no firewall installed, and patching was haphazard at best. All of these forces combined to create a golden age of hacking. This was a time when you could remotely scan and hack into literally millions of computers without the need for interaction by the end user.
Since then, vendors (led by Microsoft) have worked to build security into computers by deploying firewalls enabled by default, minimizing services, using advanced memory protection, standardized patching processes and other features. As a result, computers are far more secure.
The question is, if we have made such dramatic improvements with security technology, why do we still have a security problem? The answer is simple, the human.
Consider a default installation of the latest Windows operating system, Windows 7. Place that default installation on the Internet. Due to all the latest advances in security, that computer on its own may never be hacked because, by default, the firewall is on, it is running few if any services, and it is using a variety of new and enhanced memory protection mechanisms. In addition, Microsoft has invested tremendously in a robust Security Development Life Cycle (SDLC).
Now add the human element. Once people start interacting with a computer, its risk exposure is exponentially increased. Humans read email, click on links, download files and open file attachments. People, not technology, are the weakest link--and attackers know it. In one statistic, Symantec reports that more than 90 percent of today's malware now requires some type of human interaction for infection to occur. In Mandiant's 2010 Advanced Persistent Threat report, the primary vulnerability exploited in all successful APT attacks was the human.
What is so surprising is how few resources organizations invest in securing them. Organizations forget that employees, just like computers, store, process and transfer information. You can install all the firewalls, antivirus and intrusion detection systems you want, at some point there will be little return on investment. Attackers simply bypass these defenses by attacking poorly trained employees. The good news is that because so little has been done in securing employees that even the most basic investments can have a large return.
WHY HUMANS ARE BAD AT JUDGING RISK
Before we discuss possible solutions, we need to better understand the problem. Why are humans such an easy target? What makes us want to click every link we see in email or make us believe we won the lottery (even though we never entered it)?
It turns out people are bad at judging risk. People grossly overestimate risks that are either highly visual or catastrophic (for example being eaten by a lion), and underestimate risks that happen slowly or not easily seen (for example, heart disease). We also tend to overestimate risks when we are not in control (flying in an airplane) and underestimate risks when we are in control (driving a car).
For example, let's consider risks when swimming at the beach. A common fear is being attacked by a shark. Statistically speaking, the Book of Odds says the odds of being killed by a shark in the United States are 1 in 255,000,000, which means this risk is grossly overestimated. However, something that is twice as likely to kill you at the beach is vending machines. Yes, you read that correctly, vending machines.
Your odds of being killed by a vending machine are 1 in 112,000,000, according to the Books of Odds. When people purchase an item at a vending machine, sometimes there is a failure and the food is not dispensed. Some people will proceed to rock the machine hoping it will dispense the food, only to kill themselves when the machine falls on them. People greatly underestimate this risk as they are in control.
These same problems translate to human interaction with technology. First, people feel like they are in control. They decide on the websites they visit, the email they read, the links they click on, which apps to install or which movies or songs to purchase. Since people have a sense of control, they under estimate risks on the Internet. In parallel, just like heart disease, hackers have become the silent killers of cyber space.
In most cases, people never know their system is hacked; cyber criminals can easily control a system without people noticing. Nothing visual or catastrophic happens, so once again people often downplay or underestimate the risks. Finally, unlike the physical world, in cyber space you cannot see with whom you are communicating. As a result it has become very simple for attackers to pretend to be individuals or organizations people trust.
One common method is to send emails pretending to have links to online videos, such as YouTube or video sharing sites. After following the links users are first asked to install a codec, a plugin or driver sometimes needed to view specific video formats. Both the email and the link are actually a lie; victims are not taken to legitimate video sites. Instead, these websites are most likely compromised and under the control of attackers. The codec is not legitimate, instead it is malware designed to infect and take over the victim's system. The victim believes both the email and website because they look legitimate (attackers simply copy legitimate video sharing websites). The victims believe there is no great risk because they are in control, and if attacked it is usually invisible to them. Attacks such as these happen millions of times today. Why attempt sophisticated, time consuming attacks when you can just send out emails and employees infect the computers for you.
HOW TO CREATE A SUCCESSFUL SECURITY AWARENESS PROGRAM
Now that we have a better understanding of why the human is such a risk, we need to better understand how to address those risks.
Our goal is to change people's understanding of these risks, and ultimately change their behaviors. Unfortunately this is not simple. Unlike technology, you do not simply install a new application or add a patch. Changing behavior is a long term effort.
An excellent non-security example was the U.S. Federal government's effort known as "Click-It or Ticket" where over a period of six years, states were able to increase seat belt usage more than 20 percent. This change in behavior was accomplished through a combination of awareness training and enforcement.
One of the primary ways organizations attempt to change employee behavior is through security awareness programs. This is a long term effort to train and educate employees about cyber risks and what they can do about them. Most organizations have no such program, and the few that do, fail for a variety of reasons. Let's cover how to create a successful awareness program and some of the most common mistakes to avoid.
The first step is determining why you want the awareness program--what is your goal? The two most common are compliance and security. Compliance requirements from standards or regulations such as PCI DSS or ISO 27001 state that an awareness program is required. The problem with making compliance your motivation is that often the minimum standard becomes your only goal, you invest the absolute minimum to comply.
Awareness programs such as these are often nothing more then a series of PowerPoint-generated videos loaded into an online learning management system. Employees endure an hour of online boredom as they are repeatedly told what they can and cannot do for the good of the company. If you want to reduce insecure behaviors, if you want to improve the security of your organization, go beyond just compliance.
The key to having an awareness program that creates a more secure environment is answering three questions: Who? What? And How?
- Answering "Who" determines the target of your awareness program.
- "What" determines the content of what you want to teach people.
- And, "How" is the means by which you communicate content. This is often the most challenging aspect.
Always start with "Who", because that answer determines the "What" and "How." An organizational awareness program is often designed for fulltime employees, but you cannot forget part-timers such as contractors and third party vendors. It is often these non-employee resources that have employee-like access that can be the greatest risk. Also, there are other roles you may want to target, such as management, IT staff or even your customers. Each of these targets has unique needs; make a conscious decision of whom you are targeting, and if you are targeting multiple roles you may end having multiple versions of your awareness program.
Once you have determined "Who," the next step is determining "What" the content will be. Most organizations have very limited time and resources to communicate key awareness issues. At best you have 30-60 minutes for an employee at any one time. In addition, the human mind can only remember so many topics. This means you want to limit how much you focus on. By focusing on fewer topics, not only is there less for your employees to remember (and thus less likely to forget), but it is simpler for you to reinforce those key topics. This is where compliance can become an issue. Often awareness programs that focus on just compliance simply take their entire information security and acceptable use policies and post them in nauseating details. Don't make this mistake! Have your security team go through the risks in your environment and identify what you feel are the greatest, and prioritize those. By focusing on no more then 10-12 topics, you will have a far more effective awareness program.
Next, determine how you will communicate. This is where most awareness programs fail. You have to stop thinking as a security team and start thinking as a marketing team. One method I have found works best is focus on how the employee benefits. Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company. The key to success is not to focus on the organization, but to focus on how employees benefit. About 70 percent to 80 percent of any security awareness program not only applies to the organization, but applies to an employee's personal life. Most of the same technologies, such as email, instant messaging, mobile phones and laptops, are used in both environments. When teaching these lessons, explain to employees how this information will help protect them at home, in their personal lives and their families. By understanding how they benefit they are more motivated to learn and the program can more effectively change behaviors.
In addition, many awareness programs are outdated using traditional learning methods. What may have worked for employees 30 years ago no longer works for the YouTube generation. People now communicate in short sound bites. One of the most effective methods we have found is short videos, online communication that grabs people's attention, videos they want to watch and learn. Then combine these methods with more traditional methods, such as onsite workshops, monthly newsletters, posters and perhaps even screensavers, often to reinforce your message.
People are the weakest link in the security chain, yet security professionals continue to pour time and resources into technology that most attackers bypass with a single email, instant message or post on a social networking site. By investing some time and resources into an active awareness program, your organization can make a big difference in securing the human.
Lance Spitzner, Director of SANS Securing The Human Program, is internationally recognized as a leader in the field of cyber threat research, training and awareness. He invented the concept of honeynets, is the author of the book Honey pots: Tracking Hackers and co-author of Know Your Enemy: 2nd Edition.
Send comments on this article to firstname.lastname@example.org.