I am a strong advocate of programs which establish and support security savvy end-users. Security ‘common sense’ is neither common nor intuitive, yet plays a significant role in the protection of entire computing environments. It is an important and frugal way of improving the overall security posture of an organization. Although ongoing investment in behavioral security programs is valuable, it can be difficult to measure and justify.
The purpose of security awareness campaigns is to change or reinforce behaviors of the community in a manner which improves the overall state of cyber-defense. Users can be the best asset or the worst enemy of an organization. Some would say the value is limited to social engineering attacks, but consider that well informed users will purposely stay aware of ever changing security issues and are more apt to apply patches/updates, take precautions with new technologies, and use common security sense when dealing with less trustworthy aspects of computer use as compared to uninformed or careless users. In this manner, such behaviors extend well beyond the obvious social engineering attacks.
How should the value be measured? The obvious approach may not be the best. Take for example, an employee training program instituted to improve general awareness, identify dangerous situations, recommend good practices, and communicate how to get assistance. Typical metrics for training programs are focused on saturation and recollection. They measure how many people or what percentage has completed the course. More ambitious metrics may actually test absorption, administering a test at the end of the class and scoring users’ knowledge. These metrics track the progress of the project and have their place, but neither actually measures the security value.
Avoid investing in the wrong measures. To estimate the value, as a factor of reducing security risk, the impact of what is being taught must be measured. Did the number of successful attacks or the average loss per incident decrease?
If a behavioral security program succeeds, it changes the actions of users to be more secure. The end result will manifest in a number of measurable ways:
A reduction in the number of successful attacks. Attack attempts may not decrease, but due to better decisions on behalf of the users, fewer will succeed.
A reduction in losses for those attacks which do succeed. Security smart users play a key role in detection and rapid response to attacks which can reduce the overall losses experienced. Measuring the average loss per incident is a good tactic to recognize underlying value.
A change in the type of attacks targeted at the organization. When attackers find a winning method, they stick with it. When those methods become ineffective, attackers specifically targeting the organization must adapt. A security aware workforce can change the game dynamic by forcing threats to evolve their attack methods. These adaptations can be measured and more importantly, communicated to users in a continuous feedback cycle to keep them informed of emerging attack vectors, thereby sustaining the security value proposition.
A widespread behavioral security awareness campaign, to establish and maintain security experienced users, is both valuable and important. It is not a silver bullet, but it is one of the most powerful components to a defense-in-depth security strategy, as users can play a role in the prediction, prevention, detection, and response aspects. Security savvy users are the core of behavioral security. Measure the true success and value by understanding their impact.