By Keyaan Williams
Sr. Executive, CCISO Programs
End users can introduce significant risk into an organization. Insecurity often originates with end users who are users of IT but lack the experience and awareness of IT professionals. Fortunately, it is possible to transform the average computer user into a secure computer user who operates with wisdom and perspective on par with IT and information security professionals. Achieving this outcome requires a combination of formal education and training that is reinforced by effective awareness campaigns.
Uninformed users are one of the weak links in corporate information security. A single act of carelessness can circumvent security controls and create a significant security event. For example, phishing is an effective attack against users – especially when the timing and the target are right.
Research shows that “95 percent of advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device” (IBM X-Force Research, 2016). Whether because of work demands or the curiosity produced by human behavior, most users are likely to open a malicious phishing message that looks just right and has compelling content or information. The example provided below shows a well-crafted message that worked because the user was expecting delivery of a package. Timing was the key. The user clicked the malicious link in the e-mail and compromised the machine because this type of message was expected and the user did not confirm it came from the right person.
Phishing is common because the attack is inexpensive and it works. However, users must be aware of other attack vectors and malicious motivations to help protect their organizations.
Information is the best tool to help end users manage risk effectively. Education, training, and awareness provide the methods to deliver this information. Education exists to create long-term retention of ideas and information. Training complements education by teaching new skills or transferring new knowledge to a person. Then, awareness campaigns can be used to reinforce important ideas and information presented in education and training sessions. All these components work together to help users understand the risks they face and their responsibilities for managing those risks.
Education should occur at the beginning of employment to communicate the policies, standards, and expectations of the organization. Education is often repeated occasionally to reinforce retention of information that end users do not encounter regularly. Training and awareness should map to and enforce an organization’s policies, standards, procedures, and guidelines, which define the behavior and acceptable performance of users within the environment. Once users understand the fundamental behavior expected in the environment, training and awareness can also introduce ideas and skills that help users respond to threats and behave more securely in general.
Users tend to exhibit more secure actions and behaviors when they can make a personal connection to the information, and they understand why they should (or should not) do certain things. Organizations can leverage perspectives from organizational behavior and psychology to increase how effectively users connect personally to what they learn in education, training, and awareness. This helps create more secure computer users. The organization must understand individual users and the drivers that influence their behavior. People act differently when they are aware of positive and negative results from their actions or behavior. For example, rewards– either by recognition or by prizes– often drive people to do what is necessary to receive the reward. “I will inform security operations about all suspicious e-mail I receive instead of opening the messages or clicking their links so I receive the award for being a secure computer user.”
Every employee must work with security. “When users are engaged in security-related activities, they have a better impression of security’s efforts and are more likely to support those efforts” (Manke & Winkler, 2012). Training and awareness can complement security initiatives when they are tailored to address specific concerns. It also helps to repeat these sessions as often as necessary to support success. When users and security are connected, it is easier to identify when training and awareness should occur and the content of those messages.
In the best case, education and training supported by regular and awareness can produce the following results:
Most security experts agree that end user training is important, but convincing the people who hold the purse strings to invest in training instead of other initiatives can be difficult. Obtaining the budget for training is easier when training a component of the organization’s information security strategy. The people leading the organization must buy into the strategy and understand the value of creating workforce of secure computer users. If they do not support this perspective, the next option is to convince business unit leaders to invest the creation of a secure computer users because of the value it creates for each business unit, which has an incentive to maintain operations and avoid outages related to security incidents. If business leaders accept the wisdom that educated, trained, and security-aware end users are valuable, they are likely to invest in training for their employees or contribute to a funding pool for the entire organization.
IBM X-Force Research. (2016). 2016 Cyber Security Intelligence Index. IBM Security.
Manke, S., & Winkler, I. (2012). The Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison. Secure Mentem.