Cyber Matters: Understanding the Value of Threat Awareness Programs

By Rob Sloan, cybersecurity research director, WSJ Pro

Despite investments in cybersecurity technology, attacks regularly cause damage and disruption to corporate networks. User awareness programs are essential in enlisting employees to detect, report and stop cyber attacks before data is put at risk.

Lance Spitzner is a director and instructor at cybersecurity research and education organization SANS Security Awareness. He is a former U.S. Army officer, a 20-year veteran of the cybersecurity industry, and a leading voice on security awareness. After a decade-long focus on technical aspects of security problems, Mr. Spitzner realized people, not technology, were the target. It was in securing the human that Mr. Spitzner saw he could have the greatest impact.

True cybersecurity awareness is still in its initial stages, Mr. Spitzner said, though this is changing. “We see organizations heavily investing in awareness now, moving awareness beyond just compliance to focus on behavior change.” In fact, while 23% of organizations assess their maturity level at compliance-focused, 71% are beyond that stage and almost 5% have reached the highest level of maturity.

The survey of about 1,700 corporate security awareness professionals was conducted by SANS Security Awareness, a division of the SANS Institute. SANS Institute was founded in 1989 as a training and certification provider, research establishment and operator of the internet’s early warning system —the Internet Storm Center.

Mr. Spitzner shared his thoughts about how organizations can develop and deploy programs for maximum impact.

How seriously are organizations taking security awareness training?

We are still very much in the infancy of securing the human element. However, organizations are beginning to understand that cybersecurity is not just a technical issue, but also a human one. More organizations are going beyond just computer-based training or phishing programs and are implementing creative ways to engage and change behavior. Adoption of maturity models, defined metrics and boardroom engagement are also positive signs of increased maturity.

Should awareness programs be run from the IT security department?

They should be run out of security departments, but should not be run by IT security people. In order to change workforce behaviors you want someone with a communications or marketing degree, not a computer science degree. Soft skills rather than depth of technical knowledge are more important for engaging the workforce, changing behaviors and ultimately, program success.

What resources are required to maintain a developed awareness program?

An organization with 5,000 or more employees requires at least two people dedicated to their awareness program to start having an impact. Our data shows a larger organization actually needs four full-time employees to start changing the security culture. If you don’t have dedicated people running your program, you will fail.

Repetition of the same cybersecurity warnings can become stale. How can organizations re-energize their existing programs to re-engage the audience?

Organizations can mature their awareness program by focusing on personal lives, gamification, micro-videos, fact sheets, hacking demos and guest speakers. However, most of these new activities require people to build and manage the program.

Let’s say you want to ensure people are disposing all sensitive documents in the shred bin. You measure that behavior by dumpster diving. If there are sensitive documents in the dumpster, you know people are not following the behavior.

How can organizations demonstrate a return on their awareness investment?

Compliance is very easy to demonstrate, but reducing human risk and protecting reputation takes more effort. You first have to identify your top human risks, then identify the behaviors that manage those risks, then measure those behaviors.

Awareness doesn’t stop at preventing an attack -- reporting it is equally important. We have seen detection and incident response times in many organizations dramatically improve as a result of their awareness program.

What role does the senior leadership team play in improving an organization’s security culture?

The report strongly demonstrates senior executive support is critical to the success of any awareness program. One key step to achieve this is dedicating four hours a month to collecting metrics on your program and communicating those metrics to the leadership. In addition, find a senior leader who is a champion of your program and ask them how to best communicate the value of your program to other senior leaders.

Should employees ever be punished for failing to take cybersecurity seriously?

Before we start blaming the person we have to first look at the program. Have we made security too hard or confusing for them? If so, what can we do to make it easier? Can we change the process, increase the training, simplify the behaviors or use different communication methods?

If the person is the problem and not the training, most organizations take an escalation approach. After the first violation there is a warning, for the second violation the offender’s manager is notified. Subsequent violations may be reported to Human Resources and the resulting action will depend on the organization.

What is the starting point for a program with minimal allocated resources?

Start by focusing on how employees secure themselves at home. We use the same technology and face the same risks both at work and at home. By focusing on personal lives, people are far more likely to listen and change behavior. The second step is focusing on just some simple key steps that will manage the most risk. Too many organizations make cybersecurity overwhelming, scary or intimidating for people, but cybersecurity is not that hard if you focus on the basics.

There are some fantastic, free resources for small organizations, such as the monthly SANS OUCH! newsletter or materials published by the UK’s National Cyber Security Centre.

The SANS 2018 Security Awareness Report is available here.

Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.