The central theme for many security awareness month articles is "Awareness programs are failures", quickly followed by a rally cry, "We need to change them." This is too vague an objective.
Lance Spitzner of Honeynets Project fame thinks we need to think differently if we truly hope to create effective programs. I agree. But there's more than merely thinking differently to consider. We need to stop thinking in a vacuum.
Lance claims "To have an impact and secure the HumanOS, we have to start thinking differently about awareness and education." What I conclude from this comment and shared with Lance is that we need to admit that as security and technology professionals, we are ill equipped to develop effective security awareness programs without help from others.
Our orientation to security awareness is shaped by what we know about threats, risks, and exploits and the techniques and technology we can use to mitigate them. Security success often relies on knowing our enemy. We study their methods, means and motives. We track their behavior.
Know Your Friends
We know more about our enemies than our friends. This is our collective blind spot. Imagining that the people for whom we design security awareness programs have the same vested interest in, fascination with, or time to "be secure" is pure folly, hubris or both. Our enemies, however, study our friends (our users): studying how users behave, observing how quickly user interactions with devices become rote, and teasig out what makes users act without thinking form the foundation of social engineering.
Expand the Talent Pool
Success at raising security awareness rests on knowing our friends. We don't study the HumanOS that the average Internet user boots up when he wakes as much as we study criminals or miscreants. Fortunately, others do.
Sociologists study social activity. Psychologists study human behavior. Collectively, they study most of the critical functions of the HumanOS. Why are we not engaging experts in these fields to help raise security awareness?
If we want to experiment with a psycho-social-technological approach to security awareness, perhaps we can start with social engineering. Social engineering is arguably the most widely used tool in the criminal tool kit. Social engineers have a distinct advantage on the ecrime playing field. They draw upon decades of exhibited Internet behavior and millennia of successful acts of fraud or deception. Often, with almost trivially simple technology they are able to steal, defraud, coerce, or impersonate with almost a free hand.
Security professionals know how criminals victimize users. We offer "day late, dollar short" awareness programs of the form "here's how phishers steal your credentials, so don't fall for this kind of scam". This approach is as successful as telling people "eat fewer calories than you burn and you'll lose weight". Both are well-intentioned but ineffective because they unrealistically assume that the fix is obvious and changing behavior is easy.
Change Behavior not Software
Effective weight loss programs involve education, coaching, counseling or activites that are less oriented to helping individuals to manage anxiety, frustration, urges, or other reasons that cause them to make poor diet choices.
Weight loss programs aren't designed exclusively by physicians or scientists who study nutrition, and neither should security awareness programs be designed by experts who study social engineering or ecriminal activity. The same is true for healthcare awareness programs and month long campaigns. Breast cancer and heart disease awareness are noteworthy and effective examples. These effectively incorporate sociological and psychological considerations into awareness program designs. If we are unwilling to adopt similar orientations and strategies, we may continue to fail to make awareness programs effective.