A Successful Security Awareness Organization Architecture- Identifying Key Behaviors
The process of evaluating and changing an organizations user behavior can be a large and daunting task –similar to looking at a picture of the milk-way galaxy with the task of counting the rings around all the planets- but rest assured it can be broken down into a very simple process to follow. Over the next few weeks I will talk about how to identify key behaviors through assessment of an organizations
culture, how to identify what about that culture is facilitating that user based vulnerability, and finally how to identify and resolve holes in an organization training in order to change those key behaviors.
All in all, it will become increasingly apparent why measuring culture is so important in successfully changing user behavior within an organization.
Identifying Top Three Problems Within an Organization
The first step in making a security awareness organization architecture is to identify what the top three user behaviors are that present the most risk and vulnerability to an organization. Think about it, if your car broke down on the side of the road with a flat tire, a broken sunroof, and a missing cup holder are you going to fix the cup holder first? Of course not! Same applies when revamping your security awareness architecture. Start with the biggest problem and then work your way through the list.
The 12 Key Behaviors Analysis
Over the years MAD Security has asked clients what the top problem behaviors are within their organization. While some unique, and sometimes amusing, answers have come up, more often than not they fall within one of the12 following categories.
1- Call help desk more quickly to report a potential problem or possible attack.
2- Properly handle and dispose of PII
3- Stop visiting unapproved / potentially dangerous sites while at work.
4- Stop using email for abuse or inappropriate purposes.
5- More resilient to phishing attacks
6- Create stronger passwords
7- Be aware of abnormal or suspicious behavior in the workplace
8- Be secure when working remotely
9- Be more aware of mobile devices, laptops, and/or tablet security threats
10- Give out less information online and on social networking sites
11- Be more aware of secure settings and computer behavior when browsing the internet
12- Be more aware of shoulder surfing and making sure doors are properly shut behind them.
Each of these categories represents a very real, and very fixable problem within any organization but the key is identifying the top three. Identifying the top three enables you to prioritize and get the most out of your efforts rather than trying to take on the whole world at once. Also, some of the smaller problem behaviors may be a side effect of larger issues and thereby will decrease when the larger issue is resolved.
Who To Evaluate
Now that we know what we need to ask, the next question is who has that answer and how do we make sure we don’t get a biased response/get sent on a wild goose chase? For example, image that Bob had a horrible experience with identity theft and happens to be the head of IT. When you ask him what the top 3 problems are you get the following:
1- Properly handle and dispose of PII
2- Give out less information online
3- More resilient to phishing attacks
Later you find that the real issues are
1- Create stronger passwords
2- More resilient to phishing attacks
3- Call Help Desk
This is a problem with any survey type analysis but the way to resolve it is to ask more than one person. For the purposes of our task we want to ask the stakeholders. The stakeholders give you an idea of what the top 3 overall- not department specific- problem behaviors are within the organization. Furthermore, as a group, the influence of one persons bias/bad experience is minimized for a more complete overall picture.
Now that the top 3 have been narrowed down it’s time to go to the CISO to ask (1) why those problems present a major issue to the company (2) what is the current training environment doing to address them and (3) what measurements are in place to look at the success or failure of them?
There you have it. Step 1. You have identified the top three user behaviors that are presenting the most risk to the company. Furthermore, you know what is being done about them, which will come in handy when evaluating the holes in training, but that’s for later.