Why I Think Your Awarness Program is Broken…

Security awareness. I know, I know… This is one of the worst parts of being an infosec person. We all seem to have problems with it. Not so much because the content creation is hard, but because effective content creation is nearly impossible.

For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of “If only we could teach the users to be more careful and attentive, then we protect them better.” The truth of the matter is though, that the average user either doesn’t care about information security (until it’s too late) or they simply don’t have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS – the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don’t know…..

I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters all together!

What do I propose instead? What then will we do with all of that awareness budget???

I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better “net cops”. Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let’s focus on teaching them, giving them incentives and helping them help us protect our data more effectively.

This month, as you may know, is security awareness month. As such, throughout the month, we, like other blogs and security companies will be talking a lot about awareness. BUT, on this blog and at MSI, we are going to talk more about teaching your users to be detectives. We think new focus on from “what not to do” to “help us patrol the network” just might work! We’ll never know, unless we try!

Give it some thought and as the month goes on, don’t be shy. Let us know what you think about the idea. Thanks for reading!

This entry was posted in End-user Focused, General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply