Creating a Secure Computer User
cover computer user cropped - Creating a Secure Computer User

CREATING A SECURE COMPUTER USER

By Keyaan Williams
Sr. Executive, CCISO Programs
EC-Council

Introduction

End users can introduce significant risk into an organization. Insecurity often originates with end users who are users of IT but lack the experience and awareness of IT professionals. Fortunately, it is possible to transform the average computer user into a secure computer user who operates with wisdom and perspective on par with IT and information security professionals. Achieving this outcome requires a combination of formal education and training that is reinforced by effective awareness campaigns.

Uninformed users are one of the weak links in corporate information security. A single act of carelessness can circumvent security controls and create a significant security event. For example, phishing is an effective attack against users – especially when the timing and the target are right.

Research shows that “95 percent of advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device” (IBM X-Force Research, 2016). Whether because of work demands or the curiosity produced by human behavior, most users are likely to open a malicious phishing message that looks just right and has compelling content or information. The example provided below shows a well-crafted message that worked because the user was expecting delivery of a package. Timing was the key. The user clicked the malicious link in the e-mail and compromised the machine because this type of message was expected and the user did not confirm it came from the right person.

Figure 1

figure 1 - Creating a Secure Computer UserPhishing is common because the attack is inexpensive and it works. However, users must be aware of other attack vectors and malicious motivations to help protect their organizations.

  • Identity theft
  • Credit card fraud
  • Banking scams
  • Malicious software
  • Email hoaxes
  • Online predators
  • Loss of confidential information
  • Social engineering attacks

THE END USER SECURITY SOLUTION

Information is the best tool to help end users manage risk effectively. Education, training, and awareness provide the methods to deliver this information. Education exists to create long-term retention of ideas and information. Training complements education by teaching new skills or transferring new knowledge to a person. Then, awareness campaigns can be used to reinforce important ideas and information presented in education and training sessions. All these components work together to help users understand the risks they face and their responsibilities for managing those risks.

Education should occur at the beginning of employment to communicate the policies, standards, and expectations of the organization. Education is often repeated occasionally to reinforce retention of information that end users do not encounter regularly. Training and awareness should map to and enforce an organization’s policies, standards, procedures, and guidelines, which define the behavior and acceptable performance of users within the environment. Once users understand the fundamental behavior expected in the environment, training and awareness can also introduce ideas and skills that help users respond to threats and behave more securely in general.

ENHANCING THE CONNECTION WITH PSYCHOLOGY

Users tend to exhibit more secure actions and behaviors when they can make a personal connection to the information, and they understand why they should (or should not) do certain things. Organizations can leverage perspectives from organizational behavior and psychology to increase how effectively users connect personally to what they learn in education, training, and awareness. This helps create more secure computer users. The organization must understand individual users and the drivers that influence their behavior. People act differently when they are aware of positive and negative results from their actions or behavior. For example, rewards– either by recognition or by prizes– often drive people to do what is necessary to receive the reward. “I will inform security operations about all suspicious e-mail I receive instead of opening the messages or clicking their links so I receive the award for being a secure computer user.”

Figure 2

figure 2 1 - Creating a Secure Computer User

THE PARTNERSHIP BETWEEN USERS AND SECURITY

Every employee must work with security. “When users are engaged in security-related activities, they have a better impression of security’s efforts and are more likely to support those efforts” (Manke & Winkler, 2012). Training and awareness can complement security initiatives when they are tailored to address specific concerns. It also helps to repeat these sessions as often as necessary to support success. When users and security are connected, it is easier to identify when training and awareness should occur and the content of those messages.

EFFECTIVE TRAINING

In the best case, education and training supported by regular and awareness can produce the following results:

  • The organization develops tailored programs to deliver relevant information about current threats.
  • Interactive and engaging content is used to deliver information.
  • Everyone receives training based on his or her role and the threats the end user is likely to encounter.
  • Compliance requirements for security awareness training are considered, but compliance is not the primary driver that defines the program and its approach.
  • The program produces a measurable reduction in user-generated incidents because users are operating more securely.

HOW DO YOU MAKE THIS WORK AT YOUR ORGANIZATION?

Most security experts agree that end user training is important, but convincing the people who hold the purse strings to invest in training instead of other initiatives can be difficult. Obtaining the budget for training is easier when training a component of the organization’s information security strategy. The people leading the organization must buy into the strategy and understand the value of creating workforce of secure computer users. If they do not support this perspective, the next option is to convince business unit leaders to invest the creation of a secure computer users because of the value it creates for each business unit, which has an incentive to maintain operations and avoid outages related to security incidents. If business leaders accept the wisdom that educated, trained, and security-aware end users are valuable, they are likely to invest in training for their employees or contribute to a funding pool for the entire organization.

References

IBM X-Force Research. (2016). 2016 Cyber Security Intelligence Index. IBM Security.

Manke, S., & Winkler, I. (2012). The Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison. Secure Mentem.

About the Author

KeyaanWilliams web - Creating a Secure Computer User
Keyaan Williams

Keyaan Williams has more than 20 years of experience in information technology and security. More than 15 of those years have been dedicated to information security leadership where he has created or improved security and risk management programs in large, regulated enterprises. He recently led two successful security programs at the U.S. Centers for Disease Contr ol and Prevention (CDC) before joining EC-Council as the Senior Executive for the Certified CISO program. He also provides strategic leadership as a member of the boar d of directors for ISSA International, a global industry association for security professionals.

COMPANY INFORMATION

EC-Council
https://eccouncil.org