Security Awareness Blog

Security Awareness Topics With Greatest Impact

Okay, I had some ideas all lined up for a blog post, but Cormac Herley's paper The Rational Rejection of Security Advice by Users really got me thinking. I posted my initial thoughts on his paper the other day, but I wanted to take things a step farther. As you may remember (of if you have not read his paper) Cormac does a cost benefit analysis on three different security awareness topics and determines they are not cost effective. While I may not agree with all of his analysis or findings I agree with that different topics have different ROI (Return On Investment), and since resources are limited we need to focus on the topics with the greatest ROI. This got me thinking, what makes a good awareness topic, what will reduce the greatest risk with the lowest cost? Below are some requirements

  • We need to focus on awareness topics that are more general in nature. In other words, as technology or threats change the basic lessons still apply.
  • The lessons we teach need to mitigate as many risks as possible. The more risks a topic mitigates, the more valuable it.
  • The topic needs to be as non-technical as possible. People should not have to decipher SSL certificates to safely use the Internet (I have no idea how my car works but I like to think I drive it safely).

Below are several topics that I feel meet these requirements. Keep in mind the topics that have the greatest ROI for you not only depend on your organization, culture and requirements but your target.

  1. You Are A Target: Often people mistakenly believe that they are not a target, that criminals only go after major corporations, banks, servers and databases. They believe their computer has nothing of value. Of course we know this is not true, but you would be surprised how even today most people do not. As a result, one of the first steps of any awareness program should be to make sure people realize that they are a target.
  2. Social Engineering: The vast majority of attacks against humans are social engineering based. Phishing, scams, rogue anti-virus, they are all based on social engineering. Teach social engineering (or whatever you want to call it) and you have taught the foundation of many present and future attacks. I often like to start by using a non-technical example that you would find in the physical world.
  3. Email: Okay, lets face it email is one of the primary methods used to socially engineer victims. Just about every uses email and email makes it very simple for attackers to pretend be someone else. This is where we want to start with best behaviors and examples of the most common email attacks (phishing, malicious attachments, etc). In addition, the same lessons for email often apply for other communication methods, such as Instant Messaging.
  4. System Security: For large organizations employees have little control over the way their computers are configured. In many ways this is good as all the security is built in. However, for smaller organizations or even individuals, your organization *may* have to teach system security. If that is the case, then you will need to make people aware of the security controls that make the biggest difference, controls such as automatic patching, firewalls and anti-virus. I feel these are important because they are some of the most basic steps in protecting against malware and exploits.
  5. Passwords: This is actually one of the three topics that Cormac analyzed and documents as not having return on investment. I actually agree with the number he did, but don't agree with his conclusions. Passwords have become universal with how people operate, especially as everything we do begins to migrate to the 'cloud'. The problem with passwords as a topic is a lot of what we teach I feel is simply bad information (never writing passwords down, changing them every ninety days, etc). I actually was going to include what I feel should be taught for passwords and why, however it quickly got too long. Plan on a post soon just for passwords.

What do you think are the most important topics, what will give your organization the greatest bang for you buck .... or quid, or dirham, or euro?


Posted April 9, 2010 at 9:40 AM | Permalink | Reply

Cormac Herley

I think it's great to try to prioritize things in this way. We just haven't done enough of this in the past. Mostly agree with what you pick.
System security, absolutely: anything that gives ongoing protection for one-time effort has favorable ROI.
Email, yes: it still looks like a main mechanism by which victims are introduced to badness.
Social engineering, yes. Esp the automated flavors, like phishing, 419 etc.
You are a target. I would say you are attacked, rather than you are a target.Targeting mean to me that someone is after you in particular. For many of us that's not necessarily the case, but it's important to realize that I am still attacked night and day, even if no-one is targeting me.
Password: look forward to your comments.

Posted April 17, 2010 at 10:28 PM | Permalink | Reply


Good point Cormac. However, in the context of the end user I think "You Are The Target" works well. Far too often the average person feels they have nothing of value and believe that cyber criminals only attack corporate servers (which we all know is not true). Not sure of a better way to phrase that for end users, if anyone has a suggest please speak up. However, when talking to the security community, I agree, the term ''target' can be a bit loaded as it may mean a threat that is focusing on a specific target (can we all say ATP? :).

Posted April 16, 2010 at 3:36 PM | Permalink | Reply

joe st sauver

If a site decides to stay with traditional passwords
rather than moving to two factor authentication, there are good reasons for requiring periodic password
changes beyond just hardening against brute force
attacks. I discuss some of these reasons in the
NWACC secuity talk I did in November 2009, see (or .ppt if you prefer).