I’m amazed at how many people are offering advice on what information security topics I should be deploying. They seem to know what training is needed despite having never met me or my beautiful users and not knowing anything about my organisation or it’s goals. There are plenty of top ten lists of awareness topics. Numerous generic training packages are available on the internet. I’ve got nothing against generic awareness materials or topic lists as such. In fact some of it is very professional and far better than individual organisations could create. While it might be easy to use someone else’s training package or use their list of recommended training topics that doesn’t necessarily make it a good idea. I worry that we haven’t properly defined the problem that we’re trying to solve. If training material X is the solution, what was the problem?
The presumption for many awareness professionals is that behavioural problems exist because their audiences haven’t read A or been told B. The problem in effect is simply a lack of knowledge. Therefore the solution is the delivery of knowledge. A significant portion of information security awareness efforts fall into this category. Actually, there are a wide range of reasons why people behave in an insecure way and it’s not simply a lack of training. Some people have mistaken perceptions that override their training. Some people feel constrained to continue with insecure behaviour because of workplace culture or management pressure. Others respond to perverse incentives such as wrongly aligned bonuses that facilitate harmful behaviour. It’s also possible that the systems your users are trying to operate are excessively complex.
Depending on what problem you’re trying to fix then the solution is very different. The fantastic Security Education Training and Awareness by Carl Roper groups behavioural compliance problems into three categories: environmental, skills / competencies and motivation / attitudes. Roper notes that the worst thing you can try to do to solve a motivation problem is to use a training approach. Training is an answer to a skills / competencies problem. Consideration also needs to be given to if you’re trying to get your audience to learn or unlearn something. To change an existing mistaken or unhelpful perception then you really need to know what it is before you can manage it. To change an existing belief usually requires a direct challenge of that belief and a high level of cognitive engagement to show why that belief is incorrect or unhelpful. For example, if users have the mistaken perception that websites with the padlock are ‘safe’ then you’ll need to hone in on that rather than generically teaching the facts about phishing. For issues with management or workplace pressure, the focus needs to be on more than just knowing the rules. It also needs to cover strategies for standing up to people who are pushing for insecure actions to be carried out. Practical options such as whistle blowing or anonymous reporting need to be discussed. It’s important to understand how your intervention is going to influence existing behaviours. For all you know, the users have heard the infosec spiel before and if it didn’t work last time then… We in the infosec community have a habit of dumping information on people and expecting them to absorb like robots but that’s not how it works.
You should consider involving your users directly in the process of select training topics and content. Find some representative users and ask them for their views. Are they familiar with the organisation’s key information security risks? Who do they think threats are targeted at? What actions do they think increases the likelihood of the risk? Why do they think those actions are occurring? What do they think it would take to change people’s behaviour? Once you understand their perception of the problem then the solutions become obvious. You’ll understand if they need some topics more than others rather than relying on industry fads. This is about a detailed understanding of your organisation’s security ergonomics.
The next time you’re presented with awareness materials from someone else’s top ten or a 3rd party, ask yourself if the author or designer understood the problematic behaviours that exist in your organisation. If so, ask how those particular awareness materials address your organisation’s problems. In many cases, I suspect you might find out where most security awareness topics come from. I could state it here but it wouldn’t make it past the editor.
Originally published in the August 2013 edition of the ISSA International Journal.