Okay, I had some ideas all lined up for a blog post, but Cormac Herley's paper The Rational Rejection of Security Advice by Users really got me thinking. I posted my initial thoughts on his paper the other day, but I wanted to take things a step farther. As you may remember (of if you have not read his paper) Cormac does a cost benefit analysis on three different security awareness topics and determines they are not cost effective. While I may not agree with all of his analysis or findings I agree with that different topics have different ROI (Return On Investment), and since resources are limited we need to focus on the topics with the greatest ROI. This got me thinking, what makes a good awareness topic, what will reduce the greatest risk with the lowest cost? Below are some requirements
- We need to focus on awareness topics that are more general in nature. In other words, as technology or threats change the basic lessons still apply.
- The lessons we teach need to mitigate as many risks as possible. The more risks a topic mitigates, the more valuable it.
- The topic needs to be as non-technical as possible. People should not have to decipher SSL certificates to safely use the Internet (I have no idea how my car works but I like to think I drive it safely).
Below are several topics that I feel meet these requirements. Keep in mind the topics that have the greatest ROI for you not only depend on your organization, culture and requirements but your target.
- You Are A Target: Often people mistakenly believe that they are not a target, that criminals only go after major corporations, banks, servers and databases. They believe their computer has nothing of value. Of course we know this is not true, but you would be surprised how even today most people do not. As a result, one of the first steps of any awareness program should be to make sure people realize that they are a target.
- Social Engineering: The vast majority of attacks against humans are social engineering based. Phishing, scams, rogue anti-virus, they are all based on social engineering. Teach social engineering (or whatever you want to call it) and you have taught the foundation of many present and future attacks. I often like to start by using a non-technical example that you would find in the physical world.
- Email: Okay, lets face it email is one of the primary methods used to socially engineer victims. Just about every uses email and email makes it very simple for attackers to pretend be someone else. This is where we want to start with best behaviors and examples of the most common email attacks (phishing, malicious attachments, etc). In addition, the same lessons for email often apply for other communication methods, such as Instant Messaging.
- System Security: For large organizations employees have little control over the way their computers are configured. In many ways this is good as all the security is built in. However, for smaller organizations or even individuals, your organization *may* have to teach system security. If that is the case, then you will need to make people aware of the security controls that make the biggest difference, controls such as automatic patching, firewalls and anti-virus. I feel these are important because they are some of the most basic steps in protecting against malware and exploits.
- Passwords: This is actually one of the three topics that Cormac analyzed and documents as not having return on investment. I actually agree with the number he did, but don't agree with his conclusions. Passwords have become universal with how people operate, especially as everything we do begins to migrate to the 'cloud'. The problem with passwords as a topic is a lot of what we teach I feel is simply bad information (never writing passwords down, changing them every ninety days, etc). I actually was going to include what I feel should be taught for passwords and why, however it quickly got too long. Plan on a post soon just for passwords.
What do you think are the most important topics, what will give your organization the greatest bang for you buck .... or quid, or dirham, or euro?