In a recent article that highlights why security awareness programs frequently fail, the top reason cited was poor governance. In reviewing and implementing dozens of awareness programs, I have come to believe that the poor definition and implementation of security governance is the fundamental reason for security awareness program failures.
First consider what governance is. At a high level, governance is definition of how people should perform their daily functions. Notice that this doesn’t say anything specific about security. The assumption is that the definition of behaviors embed security.
It amazes me how companies rightfully want full control of their security programs, yet they pretty much abdicate their awareness programs to vendors.
While it does not seem to work this way in practice, awareness programs should promote good security behaviors. They should inform people about their expected behaviors in common and uncommon circumstances. These expected behaviors are not something to be determined by a random CBT provider, but should reflect what is established in corporate governance.
For example, when most CBT videos talk about social engineering, they highlight how hackers will trick you to giving up your passwords or other sensitive information. The phishing videos highlight how phishers want to get your passwords or download software. However, consider that the latest evolution of phishing and social engineering attacks, which involve contacting accounts payable, the CFO, or accounting and asking for money to be transferred. Traditional training materials do not discuss this at all, as they just rattle on about basic social engineering and phishing.
The recent incidents at Moneytree and Seagate, where a criminal(s) emailed people in the human resources departments, pretending to be the CEO or other party, and asked for them to send him tax related information of employees, as well as the rash of accounts payable thefts, where criminals use some pretext, frequently pretending to be the CEO, to have those departments transfer money to an account, would be countered by people following good governance. Governance would detail the specific process to release information or send money. A random email that requests the release of information, should be summarily rejected, and the sender, even the CEO, should be directed to follow the defined procedures or guidelines.
To examine what awareness information should be provided, you must first consider that some policy, procedure or guideline should detail the process for approving and processing payments. I assume that an email or telephone call from anyone is not the entire formal approval process for issuing payments.
While it might be helpful for awareness programs to highlight phishing and social engineering, they need to highlight the procedures and guidelines related to releasing payments. That should be done for all aspects of security.
However programs that focus on implementing off the shelf videos do little to address specific and proper behaviors for typical situations. The typical 3-minute awareness video on social engineering will not address specific governance for all job functions, and won’t include the detailed process for the release of tax information or funds transfer specific to that company. Proper governance should detail the process to request the action to be taken. It should detail who can make the requests, what is the approval process, and any verification processes that should be performed.
Unfortunately, governance is usually treated like a game you play with auditors. Companies try to write just enough policies, procedures, and guidelines so they are not listed as an exception on an audit report. Then the resulting documents go on a shelf until the next audit. Proper governance should be practical and implementable.
Awareness programs should look to governance as the driver for the program content. While some computer-based training might be considered, an awareness program should be much more. There must be many modes of communication. There must be outreach to the special populations with the information, pulled from governance, specific to them.
[ ALSO ON CSO: How to craft a security awareness program that works ]
While a certain part of awareness involves motivating people to do the right things, awareness needs to specify what those right things are. This cannot be delegated to off the shelf videos. Of course there are industry best practices and certain behaviors that might be considered universal, but if you want to have an effective awareness program that goes beyond what should be obvious, you need to ensure that you review the appropriate policies, procedures, and guidelines and make sure that is what your awareness program is promoting as appropriate behaviors. If those documents do not already exist, your security program likely has significant issues to begin with.