Like most cybersecurity experts, Ira Winkler has a wealth of stories that illustrate how dangerous user behavior can be to cybersecurity. He’s also got something more. A “modern-day James Bond,” Winkler is indeed a straight shooter, with a humor-laced delivery style that’s well suited to the topic of gamification – a tool he sees as instrumental to cybersecurity awareness and the subject of his presentation at the 2016 CyberCrime Symposium.
Winkler, president of Secure Mentem, kicked things off by detailing a cringe-worthy employee onboarding experience he’d had while working as an analyst at the National Security Agency (NSA), where he began his career. While helping a new hire log-in to a key database, he explained that her surname, “Kirk,” would be her user ID, then typed in the password “captain.” Turns out the joke felt flat – she’d indeed chosen that password.
“This is at the super-secret National Security Agency, world's leader in information security,” Winkler said. The new hire was intelligent and had just completed the NSA’s three-day security awareness program, but nothing she’d learned suggested she’d chosen a bad password.
"Who," Winkler asked attendees, "was at fault?" Settings shouldn’t have allowed the password in the first place, something more complicated should have been required. Another leading contributor to situations like this, which are “hardly unique,” is that security professionals assume a level of common sense where cybersecurity is concerned. So knowing that “captain” was a poor choice of password if your surname is Kirk, in their minds, should have been common sense.
But, Winkler argues, “it’s not a matter of common sense, because you can't have common sense without common knowledge. If there’s fundamental common knowledge, then people can exercise behaviors in line with that knowledge, but without it, there’s no common sense.” In fact, he said, Edward Snowden got access to the data he wanted by convincing 24 NSA co-workers he needed their passwords so he could work on a special project. Again, there was an assumption that employees, especially those in an organization like the NSA, know there’s never a reason to share their password.
Stupid Decisions and the Infosec Pros That Enable Them
While users may make stupid decisions that impact security, it’s security professionals that enable them. “A single user shouldn’t have the ability or authority to click on a link and bring down an entire network,” Winkler said.
What’s the answer? A security leader’s overarching objective should be to create a strong cybersecurity culture. "Good cybersecurity awareness programs create the common knowledge that generates the right behaviors," said Winkler, "and those behaviors create a self-enforcing culture that continually builds awareness."
The key to creating awareness? "Motivation," said Winkler. "It translates knowledge into action, and solidifies culture."
So why wait for behavioral consequences to motivate users when a good cybersecurity awareness program can do the job? A good program takes into account the culture, the users, and the methods most likely to motivate them. And, Winkler said, "it’s not training, which is focused on a static information and uses tests to gauge understanding. Instead, awareness focuses on building positive behavior." To gauge heightened awareness, administrators must measure actual behaviors.
Seven Habits of Successful Cybersecurity Awareness Programs
Habit 1: Build a strong foundation. Create awareness programs based on, say, three-month plans vs. annual plans, so they remain fresh, can accommodate new threats, and enable frequent assessment. Some cultures benefit from pushed material – videos, newsletters, or monthly tips – while many others need the motivation that comes through gamification.
Habit 2: Get organizational buy-in. Strive for buy-in at the highest possible level. To reach these heights, market materials to the C-suite. “In some cases, you’ve got to create an awareness program specifically for executives, because if they get excited, everybody gets onboard,” said Winkler.
Habit 3: Participative learning. Depending on the culture, security teams might use gamification, interactive learning modules, or teaching tools, like simulated phishing attacks, that use the element of surprise. These and more creative approaches should be voluntary – they work when users are motivated to ‘pull’ materials and engage.
Habit 4: More creative endeavors. More sophisticated forms of gamification and creative programs require their own marketing campaigns. To be effective, they need to inform users how to get involved, what rewards they’ll gain at what levels, and where others in the company stand in terms of progress. A creative program focuses on actual security needs and rewards users based on behavior or activities that help address them. They might earn 50 points for reading an article on a new threat, or snag 250 for finding a security vulnerability, which they can exchange for gift cards, a day off, or other swag. These programs also need their own policies, reward structure, and tracking systems so administrators can manage them.
Habit 5. Gather metrics. Collect metrics before starting a new awareness initiative and compare the rate of incidents reported before and after. To determine if root behaviors are improving, security administrators can use password crackers, encourage incident reporting, check help-desk incident records, and conduct facility walkthroughs to observe how employees keep their desks. An increase in incidents reported can be a good thing, signaling that awareness is on the rise.
Habit 6. Partner with key departments. When IT security works with departments with synergistic goals – legal, marketing, HR, compliance – they can build support, increase compliance, and may receive a larger budget allocation.
Habit 7. Be the department of “how.” Too often, security teams are the department of “no.” Since that’s ineffective, they need to concentrate on teaching users how to do things securely.
“If you implement it properly, an awareness program can deliver the greatest return on your investment,” Winkler said.
This is the fourth in our series presenting key takeaways from Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check-in weekly for the latest installment featuring actionable insight from select presentations.
Need Some Cybersecurity Expertise on Your Team?
Sage's Cybersecurity Partnership Program gives you access to our cybersecurity advisors. You receive oversight, guidance, and counsel toward meeting compliance objectives and improving the security posture throughout your organization.