I have an issue with “awareness training”. Well two really. And that’s despite running cyber security training programmes.
First of all, I don’t like the term “awareness training”.
Training is about the delivery of skills and knowledge. It’s about me helping someone understand how and why to do something.
Awareness is very different. It’s about consciousness of that knowledge. It is very easy to know something and, at a particular instant, not be aware that you know it. You only have to watch a quiz programme on TV to see that: stress is a great way of burying knowledge.
So there are two separate things: Training which is about delivering information: face to face lectures, videos, documents, online tests etc. And awareness which is about having that knowledge front-of-mind all the time: email reminders, pop ups, posters in the loos, videos in public spaces, lapel badges…
And that leads me on to my second point. When I am helping organisations address the human factors that can impact on cyber security, I need to think about training. And I need to think about awareness. But on their own, a combination of training programmes and awareness campaigns won’t cut it.
There is a lot else involved.
I am going to assume that you have a strategy, that you know what you want to protect and why you are going to make extra efforts to protect certain things. Once you have identified what you are going to protect you need to think about how.
How are you going to give people access to information; how are you going to store or share information; how are you going to destroy it? All of these acts require processes. And those processes need to be acceptable to the people who have got to use them.
I don’t just mean processes that people are capable of struggling through. I mean processes that people don’t have to expend unnecessary mental (or physical) energy to complete. And processes that don’t get in the way of people doing their day job.
Security processes need to be designed with end users (not IT professionals) in mind. If they are not, end users will simply find ways of working around them.
So you need to design security processes carefully.
And then you need to explain them carefully. That’s where usable policy documents come in. Your policy documents are one of the tools you can use to get people to change their behaviour (along with training and awareness). Take care though. It’s one thing to cover off every eventuality in an Acceptable Use Policy that runs to 50 pages (yes, I’ve seen one). It’s quite another to expect people to read it.
So we have got usable process and policies, effective training, and continuous awareness programmes. That’s going to get people behaving safely isn’t it?
Not a chance.
If we want people to behave in a certain way we need to motivate them. And that means understanding why they do certain things and why they don’t. That involves identifying the behavioural drivers that affect your colleagues.
Some of these will be personal, such as a grievance against a manager; and some of them will be cultural, such as an acceptance across an organisation that cyber security is the responsibility of some hapless guy in the IT department – or that it simply isn’t very important, as evidenced by the behaviour of the CEO.
We will leave personal drivers aside for the HR team to manage. We need to address organisational culture because there are elements of it that are particularly important in cyber security. These include whether or not people trust other people as a default (that is to say, without good cause); and whether or not people find it socially acceptable to be a little unhelpful on occasion.
There are of course many other cultural “lenses” that you should consider, but I think these, along with a feeling of personal responsibility, are two of the most important.
Managing cultural change is never going to be simple. And success is never going to be instantaneous. But that doesn’t mean you can’t try. And running a cultural audit to see where the main problem lie is probably a good first step.
There you have it. Usable systems and documents, effective training, continuous awareness, cultural change. No one ever said life or cyber security was simple. But over-simplify the problem, by focussing on “awareness training” – or worse, ticking a box with an annual CBT test – is not going to help anyone keep their organisation, or themselves, cyber-safe.