Best Practices in Security Training
Worms and legislation dictate the need for security-savvy employees; here's how to train them and reinforce human nature.
Security gurus often declare that securing the enterprise takes the three “Ps”—policies, procedures, and people. In the same breath, they also say that security practitioners too often overlook the latter.
It’s no surprise. Technology can be evaluated, tested, benchmarked, and rolled out. Co-workers, on the other hand, present no such luxuries. Users are difficult—it’s that “human behavior” thing. They naturally resist change and slide back into old habits unless the new ones are constantly reinforced. While no one is asking security managers to play psychologists, familiarity with human tendencies can help security managers design more effective security awareness—and subsequent reinforcing of awareness—programs.
“Security-savvy employees are critical to the strength of an organization's overall security posture, and exposing the workforce to messages about security best practices is a critical first step” to not only creating more secure users, but a more effective security awareness program in general, says Max McLellan, a regional training director for Symantec Education Services.
Ian Hameroff, security strategist for Computer Associates, echoes those sentiments, especially in light of recent worms on the rampage. “Even the best antivirus technology can succumb to a lack of end-user awareness and ongoing maintenance.” Of course given the Health Insurance Portability and Accountability Act (HIPAA) and other recent legislation that penalizes companies with poor security habits, poor user behavior can ultimately leave the company with a security black eye in public.
The first step in re-education is breaking old habits. “People fear change,” says McLellan. “What we want them to do is stop doing that in some sense." One method is to give them “a best practices” of how they should behave to encourage security-positive behavior.
The classic way to do that is via metrics, he says—characterize what the problem is. As an example, McLellan mentions a company that re-designed its security program which included a goal of improving average password strength.
First, the company measured network access password strength. Using readily available tools, “about 70 percent of peoples' passwords could be cracked in a tenth of a second,” he says. The security educators then used that metric to communicate the organization’s current password reality as part of an awareness campaign.
At the end of the awareness program, password security, predictably, increased. Yet “at the end of six months, effectiveness decreased again,” says McLellan. The issue was no longer top-of-mind for users.
Making Security Personal
Obviously companies need to reinforce the message over time. One trick: make security personal by tieing in an area needing improvement to current events, as well as to the “benefit to the individual,” says McLellan. For instance, given all of the recent Blaster activity, “release the organization’s policy on virus protection,” as well as information on viruses and signs of infection,” he says. “Tell them how it can be put right … and it will start to encourage lasting change and behavior," as opposed to users ignoring or deactivating anti-virus software, or opening strange attachments they receive in their free, Web-based e-mail accounts.
The best awareness-changing campaigns, says McLellan, start with a statement of the company’s policy, followed by reinforcements that play to human strengths and weaknesses, followed by a return-on-investment presentation by security staff to management. Any campaign objectives “of course should be business-orientated if at all possible," he notes, since it will help the security pros prove the program’s effectiveness to bosses.
As an example, take a program to decrease security badge replacements. First, the security manager should look at badge loss rates for a month, he says. Then use that metric to reinforce better behavior. At the same time, although a badge’s replacement value might only be $5 or $6, every lost badge is a security problem. So charge users a higher fee—perhaps $30—to get a replacement badge. In other words, make it personal, and give users a reason to not lose their badge.
"Hopefully it will start to put a little reality check in and it will cause people to start remembering their badge,” says McLellan. That will help drive cultural change—employees helping each other remember their badges. Then security staff gets to report improvements—hopefully—to managers.
In the end, tools alone won’t secure any company. “Technology needs to be coupled with ongoing vigilance, consistent security policies, and education to make certain employees understand why the policies have been enacted and, ultimately, how they can benefit from them,” notes Hameroff.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.