Relevance is the key to better user security awareness

Research by IS Decisions several years ago found that a shocking seven out of ten office workers admitted that, if they became aware of a security breach at work, they wouldn’t know who to report it to.

This survey was across a sample of 2,000 people in the U.K. and the U.S. The result is probably not surprising to most security professionals. And not a lot has changed since we did the survey, unfortunately. We all know user security education is lacking in most organizations.

But this really is the most basic of knowledge requirements. Surely if you are going to teach your users anything at all with regards to security, the first thing you teach is who to report to if they discover a breach?

Perhaps this statistic doesn’t just show that user understanding about security is lacking — it means that, the majority of the time, there is no understanding at all. In other words, user education is woefully inadequate.

No one size fits all

That said, it's worth noting that there probably is not a standard answer to "who do you report a breach to?" across all organisations.

In some cases the right person to report might be an IT manager, another the MD, perhaps a Chief Security Officer, or even human resources. The person you report to may be dependent on the nature of the brief. On closer inspection, it’s not that straightforward a question to answer.

And this is why we need to start looking at the issue of relevance and relativity. Who carries the responsibility for security in the organization, and how is that communicated to employees?

Real consequences for bad user security behavior

These are the basic elements of security training, yet any security professional that has embarked on training employees will be familiar with the lack of engagement that can occur.

If security does not impact employees directly, their career goals or day-to-day work, then (perhaps understandably) it is unlikely to be a priority. Naturally, the priority is getting their work done, and in some cases that might involve circumventing security policy; sharing a password so a colleague can access a specific file, sharing something off the network without the correct administration rights.

If we start relating security back to the things that do matter to employees — namely their career goals and everyday work — then we start to see more positive behavior.

If sharing a login with a colleague results in your own restricted access, then you are much less likely to do that. If the consequences for bad security behavior are as severe as impact on promotion, or even the potential for dismissal, then suddenly it becomes very much in your best interest to pay attention in that training session.

User security training in situ

Many of us have experienced user security training at work. However awe-inspiring or scary at the time, we forget most of it pretty quickly.

The key to successful work training is this: create practical ways of using what you have been trained to do in actual situations.

Most trainers will tell you that successful training is a combination of theoretical and on-the-job, and the same is the case for training users on security issues.

“Explain potential risks to your users using real world examples.”

It is not enough to tell users what they should and should be doing, then just dismiss them to go about their daily working lives. Instead, use training in conjunction with telling users what is good and bad behavior in situ. For example, they could be served an alert when logging in from a new device or location, when attempting to access a file they don’t have rights for or otherwise engaging in suspicious behaviour.

By explaining that what they are doing is wrong and why when they actually engage in taking a particular action, users are more likely to understand.

Know your audience

We know that approach to internal security is not a case of one size fits all, and so it is important to know your audience and how to relate it in their terms.

In IS Decisions’ Insider Threat Peer Report, which contains the views of several IT and security professionals, Joseph Reyes, IT manager at Bellicum Pharmaceuticals, said:

“In the biotech industry, executives tend to listen when the conversation is the theft of intellectual property. They understand the need for forensics and the ability to find out who did what and when they did it. I think when you can show that an idea can be stolen and that you can get the tools to either watch when that is occurring or identify who did it after it occurred, you become a hero.”

This principle is adaptable for any industry. In finance it may be fraud that employees are most wary of; in law, perhaps client sensitive information. In education, students may not immediately understand the risks of sharing a password with a friend until you explain that, while lending front-door keys to a friend is relatively safe if you get those keys back, once you give a password to a colleague, they can access your files whenever they like until you effectively change the locks by changing your password.

Explaining to your users what the potential risks are to them in directly relatable terms will ensure that they comprehend them more fully.

A version of this article originally appeared in Network Security in April 2015, a monthly publication devoted to solving network security problems in system-specific detail.