[BreachExchange] The Fundamental Flaw in Security Awareness Programs

[Audrey McNeil]

https://www.darkreading.com/endpoint/the-fundamental-flaw-
in-security-awareness-programs/a/d-id/1332301

Most security awareness programs are at best gimmicks that will
statistically fail at their goal. They intend to educate people so that
they can make better decisions regarding how to behave or whether they are
being conned. The programs intend to get people to think so that they
eventually will behave better. This will at best achieve basic results.

Stop and consider that you are relying on the discretion of a minimally
trained user to thwart a highly skilled sociopath, financially motivated
criminal, nation-state, etc. Logically, this is a ridiculous business
decision.

Stop and consider that when an organization hires a new accountant, they do
not tell the person that their job is to do accounting and that bad people
want to steal money, so they should be careful about it. Companies have a
well-established accounting process that essentially takes away any
discretion from accountants. Accountants follow the established process and
they report and investigate any discrepancies. This is the same for any
established business process, whether it be manufacturing, accounting,
logistics, etc.

Awareness is usually not handled this way. Companies buy off-the-shelf
materials, which show people different tricks and offer general advice.
Videos try to be funny, which makes them slightly more memorable, but
that's independent of effectiveness. The off-the-shelf materials are not
specific to the company and merely provide best practices, some of which
are more relevant than others to the circumstances of specific employees in
specific job functions.

Consider the common W-2 phishing scams, in which criminals contact HR
personnel to get them to send the criminals the data on employee W-2
statements. There may or may not be materials specific to HR function — but
more likely not. The typical videos aim to have employees stop and consider
if they are potentially being tricked. Again, this leaves the discretion to
a person with minimal training to thwart a criminal who has likely
perfected his or her crimes. There should be no wonder as to why thousands
of companies fall victim to W-2 phishing scams.

The underling problem is that security managers are afraid to get involved
in business processes and embed security into those processes. For example,
with W-2 phishing scams, users should not have to decide if someone asking
them for W-2 information is trying to trick them; they should know the
established process of releasing personally identifiable information (PII).
Therefore, the HR professional should know that such a request must come
directly from their supervisor and be approved by the general counsel. The
HR professional should not have to "stop, think, and connect," as the
common awareness model would have you do, but specifically determine if the
request has the appropriate approvals. Is it theoretically possible that a
criminal can social-engineer the request through a supervisor and then get
general counsel approval? Yes, but that is a much higher bar, and the
discretion is not left to a random person.

When there is proper governance in place, all critical — if not all —
business processes, are well defined in procedures or guidelines. A
properly run business is not left to the discretion of an employee. Even
Disney World, which is famous for allowing some customer service "cast
members" unlimited discretion in how they can correct problems, has very
defined procedures for how to dress, act, and even point. Security managers
should look at every process and determine where there can be user
discretion regarding a security-related decision or act, and then
essentially define how to remove that discretion. That may include defining
a decision process in a procedure or guideline, or the implementation of
technology to take away the need for a user action.

The ideal awareness program focuses on reinforcing the procedures and
guidelines, which have embedded security. Using the W-2 phishing scam
example, you should not have random phishing videos talking about how
phishers are trying to trick people, but the promotion of the specific
steps required to release PII. Likewise, you should not talk about how USB
drives can be lost; instead, define the specific handling of USB drives in
a way that accounts for the potential for lost or stolen drives.

In the book Hacking for Dummies, I relate a story in which I used social
engineering tactics to have a guard issue me a badge and sensitive access.
I later received a call from the facility manager asking me for the name of
the guard. I essentially informed the security manager that the fact he
didn't know which guard issued me a badge was worse than the guard issuing
me the badge. I also informed him that it was his fault that there was no
documented process for issuing badges, and that since he couldn't point to
a documented action that the guard did not follow, it was his fault the
badge was issued.

Awareness programs are usually ineffective because they represent the
abdication of security process to users. Users should be told about
specific actions they are required to take if they are are an integral part
of business processes. I frequently use the example that employees know
that they should not watch pornography at work. While compliance requires
that this be stressed, employees know that they can be fired without the
training. People know and accept the fact that there are practices that
they have to adhere to as part of their job responsibility, as a condition
of continued employment. Security managers need to utilize this fact and
stop abdicating their responsibility to implement security practices into
business processes. This is the core function of any person overseeing a
critical responsibility.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180719/70d439d1/attachment.html>