The National Institute of Standards and Technology (NIST) is updating 800-16 (A Role-Based Model for Federal Information Technology/Cybersecurity Training). Many will be familiar with NIST 800-50 (Building an Information Technology Security Awareness and Training Program) which was published in 2003 and has aged badly. In many regards, the problems with 800-50 stem from how the security awareness problem was framed. For example, the term ‘awareness’ is not actually defined in 800-50. How to raise security awareness is discussed over 70 pages but we don’t actually decide if it’s an outcome, a latent intent or a technical ability. You only have to look at the appendix on role based training in 800-50 to realize that the underlying assumption was that people’s security awareness needs was a competencies issue and a function of their duties. Having assumed that the problem was a lack of training, 800-50 then frames the response as how to organize and deliver security training. The new draft of SP800-16 has made progress and does include a three part definition of security awareness: “the ability of the user to recognize or avoid behaviors that would compromise cybersecurity” (a description of competency), “practice of good behaviors that will increase cybersecurity;” (an outcome) “and act wisely and cautiously, where judgment is needed, to increase cybersecurity.” (a method). However, despite a rather muddled description which straddles the old competency mindset and the newer focus on behavioral outcomes, the methodology in 800-16 is still only really geared to solve the competency issue.
Since the publication of 800-50 the perception of security awareness has started to shift away from technical training and towards behavioral influence. Now that security awareness is increasingly being framed as a problem of behavioral influence it opens up exciting new ways to influence users. For example, the Fog Behavioral Model proposes that behavior is a consequence of motivation, triggers and ability for which all three have to be present in order to cause a behavioral change. Sharp eyed readers will notice that this is consistent with Witte’s Extended Parallel Processing Model which predicts how people respond to the perception of danger . Looking at the models from 800-50, I’m not sure if they actually reliably predict anything. The famous Education/Training/Awareness model from NIST 800-50 (inset) isn’t actually a predictive model, it just helps to define different levels of training. The behavioral outcomes with training levels are not reliably correlated. There are plenty of examples where highly trained people take excessive risks. Long suffering readers of this column will be aware for example that racing car drivers have more accidents than average. The inverse is also true where there are people with very little understanding of the complex systems they use but somehow manage to operate them safely. Any efforts at behavioral change program will struggle to be effective if they focus solely on competencies and ignore the importance of motivation and triggers. Can you imagine a public safety campaign trying to change behavior without addressing motivation by evoking a social norm?
While I applaud the ongoing efforts to keep the NIST standard sets up to date and relevant, I’m not sure that simply rebranding some of the existing concepts is enough. The issue is that swapping definitions around for mandatory training programs delivering standardized content doesn’t change the fact that they are mandatory training programs delivering standardized content. A good move for NIST would be to properly define what we mean by security awareness and that’s an area the NIST is well suited to take the lead. Potentially, when most people refer to security awareness (including NIST), they’re talking about training. Fine if that’s what they mean but we need to stop using the terms interchangeably. NIST 800-16 looks like it’s solely about technical competencies and sounds like its only about technical competencies, but don’t let it fool you, it really is only about technical competencies. For most modern organizations that are interested in behavioral outcomes, that’s not enough.