Security Awareness vs Secure Behaviour and Culture Change

I often wonder if people really understand the difference between security awareness and secure behaviour and culture change? I don’t do security awareness, I do secure behaviour and culture change, but am I confusing things by making this statement? Us secure behaviour and culture change flag wavers can be seen to be shouting this through speaking opportunities and our online content, but does it really mean anything to you? I thought I’d take a few minutes to actually explain what we’re talking about when we make these comments.

What is security awareness?

In my mind, security awareness is what SANS call compliance focused activities. Defined as:

The program is designed primarily to meet specific compliance or audit requirements. Training is limited to an annual or ad hoc basis. Employees are unsure of organisational policies and/or their role in protecting their organisation’s information assets.

I’d agree with this statement. Security awareness is a box ticking exercise, but, it’s not all doom and gloom, security awareness does do some additional good, because, while it’s limited to mandatory training, from my experience, companies who are doing just compliance focused activities, do do some awareness bits and pieces, outside of the mandatory training. They will communicate near misses or change in process to staff, who may or may not understand, read, engage with, or follow the change, because it’s normally a technical person telling them “we’ve seen an increase in CEO fraud. Be careful” or “We’ve changed our password complexity requirements, because of…”. What happens following this “security awareness” activity is not a lot, other than annoyance.?

As usual, let me give you an example. One of my close circle is in Level 2 IT support, and “awareness” mainly falls on their shoulders. They often let me know of security things that have happened within their organisation, and ask what they should do, or tell me what they did do. They work in a high-security environment. They are in no way trained in security, or communication. They relish hanging out with the computers, and Intune. This organisation recently witnessed a M365 spear phishing attempt. They didn’t go into the discovery details, but they did show me the communication they sent out to the entire 59,900 headcount.

The comms went something along the lines of:

We’ve seen a phishing attempt purporting to be from Microsoft. [Insert screenshot of convincing M365 login screen]. If you get an email saying you need to login to Microsoft, don’t.

This person was somewhat proud of their communication, because, every time they tell me about a security incident, I ask the question “what awareness activity did you do?”. They always answer with none. They tell me about the technical mitigations. So, for a pat on the back, they called to tell me they had done some awareness stuff. I wonder if your questions, and concerns mirror what then came flowing out of my mouth?

1. What technical controls did you put in place?
2. Did you explain how they could spot this was not a legitimate login screen?
3. How will staff now access their Microsoft account?
4. Is that wording suitable for the target?

And a few more.

For some unknown reason, this time, they didn’t implement any technical controls, or consider they’ve now told 59,900 people not to login into their Microsoft account, and what the consequences of this would be. I say unknown, but it’s not unknown. Us people who understand security, and how to communicate with people do this routinely. It’s not a once a month occurrence. It is something we do every working hour, of every working day, but, while I’ve gone off on a tangent, to me, this is security awareness.?

Security awareness is doing the bare minimum. It’s annual training. It’s loosely communicating something, without taking the opportunity to use a teachable moment. It’s a technical control without understanding, or a security message, without the technical control. It’s a lack of cohesion, and that’ll do. But you will meet your compliance requirements.

What is Secure behaviour and culture change?

Let’s refer back to the SANS definitions:

The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behaviour change at work and at home. As a result, people understand and follow organisation policies and actively recognise, prevent, and report incidents.

Well, doesn’t that sound much better! People understand and follow organisation policies and actively recognise, prevent, and report incidents - isn’t that the dream? If you follow my talks, or blogs, you’ll have heard me say this a lot! Continual reinforcement - subliminal, drip fed messages, that are engaging and timely.?

What happens when you start to deliver secure behaviour and culture change, over compliance focused is cohesions, and a shared mission. From my work, I often turn up to an organisation that could fall into the security awareness camp, and I’m faced with animosity. I’m faced with key departments who have either no or a very poor relationship with security teams. The first thing I have to do is repair these relationships. These relationships are with teams like Communications, Human Resources, Learning and Development and the IT Help Desk. These teams are your greatest allies. You need them, and you need them to believe and support your mission. When you form bonds with these teams, your possibilities are endless. All blockers start to melt away. You support them, and they support you, opening channels to deliver your programmes.

The other thing that I often find is that staff don’t care about the security of the company, because there’s a team who does that. The same team that emails them to tell them to set a new password, without any rationale. The first thing you need to do to solve this is to get them to care about their own personal cyber safety. Put work security in a box for a moment. (I hear you screaming!) This is vital to the success of security behaviour and culture change. When staff care about their own cyber safety, they start to breed secure habits, and talk about cyber things. You’ve hooked them, and engaged them. They bring these habits into work, and then you can open the work security box, to a band of motivated and interested people.?

Go on this journey with me for a while - there’s recently been a buzz about a blood test for cancer. I’m sure we all know why this is exciting. Annual NHS costs for cancer services are ￡5 billion. Imagine if we all were routinely screened for cancer, and this new blood test was able to pinpoint the sequencing of cancers, to inform treatment methods. Imagine the cost savings, and efficiencies that can be harnessed through this simple blood test! Thanks for following me on another tangent, I’m getting to the point. So, what security behaviour and culture change gives you is an early warning sign. People are reporting incidents or suspected attacks. When, or even before a security team pushes out information, people are asking them questions, and employees are exhibiting the behaviours they are being trained on. When you have a culture where staff have an open dialogue with security teams, you are more efficient as a security team. You can actively reduce the cost of incident handling, and use your staff to proactively monitor your environment, and inform treatment plans! Remember, SANS says “people understand and follow organisation policies and actively recognise, prevent, and report incidents”. Imagine the cost savings, and efficiencies that can be harnessed through this simple security behaviour and culture change programme!

I’ve seen first hand how impactful this is. I’ve worked with organisations where staff will call me, administrative staff, marketing staff, people who very often don’t consider security as part of their job. They call and say I’ve seen something, I’ve done something, which tool or software should I use? What is the company’s stance on this? What does the policy say on x? This is an open dialogue, which shows people are considering security in their day jobs. This information informs security gaps. This is a culture of people who are security conscious, and this saves a shed load of money in incident response, monitoring, governance.?

To recap:

Security awareness is annual training, where staff don’t understand policies or how to protect the organisation, yet meets compliance requirements.?

Secure behaviour and culture change goes beyond just annual training and includes continual reinforcement, which results in people understanding and following organisation policies and actively recognise, prevent, and report incidents, which can result in cost savings, and efficiencies in security teams.

I know which programme I’d be ring-fencing budget for!