Note: At RSA Conference 2017 I taught a two hour lab on the Security Awareness Maturity Model. Specifically what the model is, how to leverage the model in establishing a mature awareness program and the ability to measure your program. This summary was written as a follow-up for the students who took the lab. Due to interest, I'm reposting the key points from that lab for the entire community. This lab summary is published with permission from the RSA Conference folks.
The Security Awareness Maturity Model
This model was created through a consensus effort of over 200 security awareness officers six years ago. The model enables you to not only visualize where your program is and where you want to take it, but provides a roadmap on how to achieve your goal. In addition, all attendees were provided a copy of the Security Awareness Roadmap poster, which details each stage of the model and the steps to achieve them. A key point in building awareness programs is we cannot tell you how to build your program, every organization is too unique. Instead by leveraging the model we provide a roadmap, a series of questions, and by answering those questions you build your plan.
Creating a Plan
To build a mature awareness program you need a plan. A common indicator of an immature awareness program (often in the compliance stage) is there is no plan. Instead random topics are picked on an ad-hoc basis and presented a couple times a year. To establish a truly mature awareness program you need a long term strategy, and to achieve that you need to answer three key questions.
- WHO: Whose behaviors are you attempting to change.
- WHAT: What behaviors are you attempting to change. This is the question we focus on in the Lab, as the WHAT part drives what you will measure for metrics, and how.
- HOW: How will you change those behaviors (key element is communications)
Due to the time limitation of the Lab, we only focused on the second question. One of the questions we received in the Lab is what about answering the question WHY. WHY is a critical part of HOW. In order to effectively engage people, you have to first explain to them WHY cyber security is important. The most effective awareness programs engage people at an emotional level. However, due to time limitations we were not able to cover that. To learn more about consider attending the SANS MGT433 course, covered in the Learning More section.
WHAT: Prioritizing Your Behaviors
A key element of a mature awareness program is focusing on as few behaviors as possible. Not only does every security behavior have a cost to both the employee and your organization, but people can only remember so much before they hit what is called cognitive overload. This is where they are so overwhelmed with information they simply forget it all. This is a common failure of awareness programs as security teams want to mitigate all risk, so they try teaching as many behaviors as possible. This does not work. Ultimately, you should have a compelling reason for every behavior you teach. By focusing on only a few key, high impact behaviors you are far more likely to change behavior and have an impact. This requires you to conduct a human risk analysis to determine your top human risks. We did this as part of our first lab using a qualitative risk analysis. As part of Lab groups, you were required to prioritize your 9 top human risks out of a list of 18.
However, as we explained in the session, identifying your top human risks is only half the battle. After identifying your top human risks, you then had to identify and document the top behaviors that manage those risks. This is a commonly ignored or forgotten step. As an example of this process we used passwords. Passwords are a common human risk that many organizations cover in their awareness program, but often do it wrong by overwhelming employees with confusing, complex and inefficient behaviors. We covered how this topic could be vastly simplified, with the end result of more likely changing behavior AND effectively managing risk. We then covered how these behaviors are documented in the Learning Objectives document. As a final lab you were required to pick your own top human risk and then create a Learning Objectives document for that risk identifying all the key behaviors.
Measuring Your Behaviors
I'm often asked by people what they should measure in their awareness program. This is the wrong question. The question every organization should ask themselves is what behaviors do you care about the most, what behaviors will manage the greatest amount of risk? Once you have identified and prioritized your key behaviors you in essence have your metrics program. That is why we completed the WHAT process first. This is also why the Learning Objectives document is so important. Each document lists all the behaviors used to manage that specific human risk. These behaviors drive your metrics. Some of the key takeaways for an effective metrics program include:
- Do not ask what you should measure, but start with what behaviors you care most about. That should drive your metrics program.
- Focus on only a few, key metrics, the ones most useful for you. A common mistake is using too many metrics that can be distracting and/or waste your time.
- The biggest difference between human metrics and most other security metric programs is that we are measuring people, and people have emotions. This is where most awareness programs go wrong. You want an assessment program that people are not threatened or insulted by. If done correctly, any type of metrics program can become gamified, where people perceive it as a friendly competition or learning experience. This means do not do a wall of shame, send out Viagra phishing emails or try to trick people with advanced social engineering tests. Instead focus on common, real world attacks.
- Make heroes out of people who do the right thing. Not only is recognition a huge motivator, but hero stories help reinforce the key behaviors you do want people to do.
Awareness programs are an extremely effective way to manage human risk. You can and will change behavior and ultimately your organization's culture, however, you need to have an effective long-term strategy to accomplish that, which that is why the Security Awareness Maturity Model is so powerful. It provides the roadmap to success.
Our journey in securing people is only beginning, we all have a tremendous amount to learn as a community. Here are some resources to help you down that path.
Lab Handouts: These are the handouts from the Lab. Additional handouts are also included, which you can learn more about in the SANS MGT433 course.
SANS MGT433 Course: Two day course on building a mature security awareness program. This course is taught by Lance Spitzner multiple times a year all over the world.
Security Awareness Summit: Held 2/3 August in Nashville, TN with over 200 security awareness officers and industry leaders from around the world sharing lessons learned and resources on creating mature awareness programs.
Security Awareness Roadmap Poster: Have the Roadmap poster shipped to your organization to hang in your office as a reference.
BJ Fogg's Behavior Course: Private boot camp led by Dr. BJ Fogg on behavioral change. Limited to 10 people, he hosts the class at his home in California.
Leading Change by John Kotter: The book / industry standard on change management. Surprisingly easy to read yet extremely informative.
Made To Stick by Chip and Dan Heath: This book is becoming the industry standard for security awareness officers on effective engagement and communication.