It has been claimed that much of the insider threat stems from "user stupidity" -- but is it really stupidity -- or are users merely unaware of security policy? When users download software to scan the skies for aliens, are they intending to create network vulnerabilities1 and invite hackers in the back door? Or are they simply unaware that such actions violate security policy and of the potential problems such violations can cause?
Most users don't want to cause major security breaches, but do so out of ignorance. Standard security advice is to educate users on security policy, but this is easier said than done. "Nearly all large organizations have formal training programs in place, either as part of a new-hire training program or on an ongoing basis or both," according to Alan Paller, director of research at SANS Institute. "These programs are notoriously ineffective... Audits taken of employees who have been through many of these programs find them still willing to share passwords, still willing to tell someone proprietary information over the phone, still willing to hold the security door open for someone walking in a uniform carrying a computer.2" If organizations want to reduce the internal threat, they are going to have to be innovative
Creative methods are necessary to convey the boring but important stuff.§ Surprise them!
Some months back all employees of a small software company received an e-mail entitled "Cool Games", with an EXE attachment. Downloading EXE's was strictly against company security policy, but who knew? Thirty percent of the recipients opened the attachment. Turned out the e-mail came from MIS. The company wanted to know how many users were aware of security policy and how well they would abide by it. Each employee who opened the attachment received a personal e-mail from the VP in charge of IT, reminding him/her of the personal level of responsibility that company employees are expected to show and expressing the VPs personal disappointment at the employee's lack of security awareness. Receiving such a letter from an executive that people know and like is a painful enough reproof to ensure that users won't make that same mistake again. This one small effort substantially improved company security by heightening user awareness.
§ Trick them!
Find out how well they can apply those policies to real-life events. Social engineering, for example, can catch even policy-conscious users. Have an outsider -- a security consultant, for example -- call employees at their desks and, reading from a script, request the employee's password or other confidential information. The script should be written so that the request sounds innocuous, yet persuasive.
§ Amuse them!
Federal Aviation Administration (FAA) CIO Daniel Meehan and Director of Information Security Michael Brown hit upon a surefire method for getting users to at least read the literature they distribute -- by printing it on cardboard pyramid-shaped giveaways. The pyramids explain the "five levels at which security issues arise: personnel, physical facilities, information systems security, site-specific adaptation and redundancy. It also describes solutions in each area, such as authentication, access control and confidentiality.3" People love giveaways, but when they're particularly useless, such as a toy, people love them even more. It's easy to imagine those pyramids sitting on quite a few desks at FAA, getting turned over now and again and tossed around a bit too.
§ Entertain them!
The Wilmington Trust Company, with almost 3,000 users, promoting the idea "Information Protection: It's Not a Game," sponsored a company-wide TV-style game show, offering all kinds of prizes. Between inspiring competition and providing incentives, Wilmington realized this particular approach was a hit. They created crossword puzzles and word-finds with crucial security terms embedded, sent them out to all staff, and counted successfully completed submissions as raffle tickets for prizes. Innovation often wins over even the skeptic.
Ensure that ignorance is no excuse.
§ Remind them!
Create a security culture in your organization. Even if users are familiar with security policy, it might not be on the top of their minds when sitting behind the screen. Users should think about security on a daily basis. A governmental organization of about 5,000 users had this in mind when they created their log-on banner. Each time users attempt to log on to the network they receive a message including one security policy or tip. Users are prompted to answer a multiple-choice question, checking their comprehension of the message. Users must successfully answer the question in order to complete the authentication process and log on.
§ Test them!
Even the most creative methods of grass-roots education may not get through to some people, and companies need to know that their users at least understand security policy and what behavior constitutes violation of that policy. Mandatory periodic tests can dramatically increase user awareness and provide concrete evidence regarding individual users' understanding of and concern for network security.
To this purpose, insurance giant Aetna instituted a Web-based security policy exam, which "must be completed by employees within 30 days of hire and annually thereafter. Before beginning the exam, employees must sign off on Aetna's security policy.4" Aetna issues a certificate of completion to each user upon "passing" the exam and many employees post these certificates in their offices.
Study user behavior and block policy violations.
Confidence in user awareness is an attainable goal -- it would be nice to know that users wouldn't willingly violate security policy as well. However, there will always be a certain measure of doubt on that point, no matter how devoted people seem. Monitoring network use is a must, although the labor involved is cost prohibitive without automated software. Make sure the monitoring software you purchase blocks anomalous behavior in real-time and provides audit trails or reports on user behavior that you can use to modify and maximize your security policy.
This was first published in August 2001