Recently a very smart person wrote an opinion on Security Awareness being useless.
Which then started an entire flurry of twitter and eventually several responses such as @Krypt3ia‘s response here. Then there was @iiamit‘s response here. That resulted in @jadedsecurity responses which is here.
Everyone in this discussion has made salient points. First compliance training (that training you get Once a year) does not work. No one bothers to explain why it doesn’t work they just launch into what you should do instead.
So let me try to explain why this doesn’t actually work. The human brain is wired in such a way that we are gigantic assumption engines. We have an entire neural framework designed to assist with this known as the Mirror Neuron Network. Refereed to as the mind reading neuron its primary function is to allow you to empathize with someone elses actions to help determine their intent and ultimately their relationship to you and your desires. We use this system constantly. Every time someone decides to reach for the salt our brains mimic that action internally with mirror neurons and we think, “They are going for the salt”.
Why do I bring this up? To illustrate the point of how often we assume without realizing it. Imagine if you failed to assume that gravity will always work. Every step you took would have to think about, “Is there gravity. Can I trust gravity? Will my next step have gravity?”
Secondly these assumptions allow us to filter out common events from abnormal events in case of the need for survival. We don’t notice the fence day after day but we do notice when the fence has a hole in it suddenly. You may or may not notice when someone gets a haircut or gets a new shirt but you always notice if they suddenly say have crutches or are in a wheelchair.
Now we put those two concepts together and you end up with something in psychology known as “Repetitive Task Fatigue” which basically means the more times you do something the less amount of attention you pay to that task. This is actually a very critical problem for production lines where a simple inattention to detail can cost a life or limb literally. Additionally the military suffers from this while members are on guard duty. A guard spends 99% of their time watching “nothing” and gets lulled into “A false sense of security” there are several language metaphors that support this concept.
This is why when you train users once a year it is ineffective. It is also the reason that users click on the link no matter how many times you tell them not to. YOU told them not to do it once they have clicked on links THOUSANDS of times with no negative effect so the brain has essentially said, “This is fine nothing bad ever happens please focus on something else.”
This brings us to the concept people like to throw around called, “Reinforcement”. Whereby the more often you are exposed to the differencing effects of actions that will in turn cause the brain to not make assumptions about the effect those actions might have.
Now there are right and wrong ways to use reinforcement and I will say I rarely see it being done correctly or at least correctly for the right reasons.
There is more to reinforcement than simply occasionally tricking the user with a new phishing email every couple of months. You have to give them differentiators to key into so that they can then use those to assess the action they are about to perform.
If every action they perform becomes a 50/50 good vs bad you are simply producing decision anxiety. Which is detrimental and in the case of specific psychological profiles may cause panic attacks or other aberrations.
Secondly you have to assign a social construct of forgiveness and reward for self reporting. It isn’t enough to have clicked on the link and been told that could have been bad. You have to instill the desire to report that they clicked on something. In the end we are humans and we will make mistakes the idea is to recover from those mistakes as soon as possible.
This is meant to be an addition to the discussion so does not replace all the valid points of how to implement a SA program or the elements that are required. It is simply a more in depth look at why those techniques are needed.
So in conclusion,
1) Users click constantly and occasional pointing out it could be bad is insufficient
2) Reward people for reporting mistakes and encourage them to have open discourse
3) Brand your communications so that uses have something to look for that differentiates external vs internal communications.
This gives you the best cognitive training to users using their natural tools for assessing risk.