What Is Security Awareness?
What exactly is a ‘security awareness team or program?’
What are the necessary skills required? Should they have advanced education in a specific area? Should they be security experts first and foremost? What are the duties performed? Is it about communications? Training? Behavior? Security? What on earth is this? Needless to say this got me thinking; what exactly do I do as a security awareness expert? What characteristics are key to the success of a program? Some say it’s to empower the users to be more secure. Others say it's about increasing awareness of the security risks of their behavior. For me, I think it’s a lot broader than that. It’s all about interacting with humans and transmitting an effective message that will change behavior. Notice I did not specify a ‘security’ message.
Let me explain by outlining what I think are the needed roles for a successful security awareness program/team.
The Communication Expert
One of the bigger parts of changing user behavior is effectively getting your message across. If training is a text heavy slide show with no appeal to motivation or benefit to the user then the message will not get through. Alternatively, if it is all flash and mirrors with no needed content then it’s just as useless. So rather than asking a security/technology expert to suddenly become an expert in communication you need someone that is already that. Who else but marketers? This is a group of people that excel at not only communicating information but doing it in such a way that the viewer is motivated to listen and act. These professionals get the important information and efficiently package it to get the message across. How could you not want them on your team?
The UX/UI Expert
Another important part of effective security awareness is human-computer interaction. The days of in-person training are fading fast with most training being delivered on some sort of e-learning management system. If user experience is not factored in, it won’t matter how effective your messaging/training is if the platform is atrocious to navigate. Again, rather than requiring the security team to become an expert in cognition, HCI, usability, etc., bring in the experts. These guys/girls will be vital to your cause and ensure you don’t have to answer thousands of confused user emails once a year
The Behavior Expert
Security awareness is not just about training material, it’s about changing user behavior. Training is a point of contact for that but in order to enact change year round behavioral content plans need to be in place. Systems of rewards, reminders and motivators need to be enacted to make sure users are secure. While we are all human, and therefore exhibit behaviors, this by no means makes everyone an expert in human behavior. Again, don’t reinvent the wheel and don’t force the security/HR/operations team to become behavioral experts.
The Data/Research Expert
Once the messaging and behavior plans have been created, and the platform is all ironed out, you must –and I say must- implement metrics. If you don’t measure the behaviors you are trying to change how will you ever know your program is working? This is where the data expert comes into play. They set up the appropriate metrics and experiments to see if your messaging –and behavior content plan- is working, how it’s working, and where you can improve. They can also set up systems that predict upward or downward trends in undesired- or desired- behavior. All of this information can be taken back to the rest of the team to help tweak and constantly adapt the program. These guys/girls are vital to everyone’s success.
The Subject Matter Expert(s)
At this point we have effectively made a team that can disseminate any sort of human behavior change required, they just need a topic. Cue the subject matters experts (SME). Need to make training on phishing emails? Get a social engineering SME. What about some role-based training on incident response? Get an IR SME -maybe even reach out to your companies internal IR team. You could even broaden the scope of this team to include product, sales training, management and safety plans. The list is endless. A good group of SMEs enables this team to deliver whatever message is required within the organization.
There you have it. A good security awareness team really isn’t about security. It’s effective messaging and behavior change. The ‘security’ part comes into play when new content/topics are being discovered and a subject matter expert is required. I look forward to the day that this is what comprises an organizations awareness team. I think they would move mountains.