Albert Einstein is largely credited (some say incorrectly) with the quote of “Insanity is doing the same thing over and over and expecting a different outcome”. Now whether he said this or not is not the point of this post, but rather, the intent of the quote itself.
You see “tried and tested” techniques of cyber security awareness focus mostly on trying to help users understand the threats and spot them before they fall foul of them. Yet we see time and again that these approaches do not eradicate the issue of human error, if anything the statistics on the common denominator of attacks are growing in favour of the human being the favoured point of entry.
So back to the evocative title in this piece, does this mean we are all idiots? My counter is a resounding “NO!” (sorry for shouting). Does it also mean that we can be “secured” or (dare I say it as I despise the term) become a “human firewall” for our organisations? I think the answers to these are also “no” (not shouting here) and “really, you marketing f*ckwit” respectively.
So this should then pose a follow on question of, should we stop trying to achieve this “awareness” and security for the end users?
Now here is where the tricky bit comes in. You see, if making someone “aware” is the goal, then I suppose you can crack on regardless without really tipping the needle (do what you’ve always done, get what you’ve always gotten) on what this is doing for your organisation or the user and their extended network. Doing it this way may provide a convert, who then becomes an advocate and is “immune” to future approaches, but it won’t necessarily mean a well educated and motivated workforce.
What though if your goal is to change user behaviour of the wider set of your “awareness” targets and not only arm them with the skills to spot the threat and tell tale signs of attacks, but also give them the “Spidey” sense to spot future ones of the same ilk? For this I think we’re gonna need a bigger boat (you don’t need a boat, and no prizes for guessing the film!).
So what can we do? Where can we take awareness? And where’s the coffee you promised?
Firstly, the cuppa and chock bicky’s are for you to provide, I’m not made of Nespresso and McVities Chocolate Digestives you know!
Secondly what we can do is start engaging our users in the ways they enjoy learning and the approaches we use to help with this. This approach needs to be relevant to their role and organisational idioms and get them discussing the topics and content amongst their colleagues. Even better if you can transfer these topics to the home, as this allows the learning to be taught and discussed further outside the workplace so it can be ingrained in their wider life (Kids Tales anyone?).
Thirdly to change awareness into behavioural change we need to stop believing the hype of marketing literature who’s sole raison d’être is to shift more units/courses.
Users aren’t stupid, they will always make mistakes and we should stop thinking of them as some form of security backstop when the expensive technology or fancy six sigmas processes have let your company down (AGAIN!).
We are all also only ever one click away from notoriety. We all have the capacity for falling foul of a well structured email, text or other such clickbait approach. The attackers know this and they know that it is a simple anthropological output of being a human in a functioning society.
I started this post with a quote that is sometimes wrongly attributed and I will finish with one, PT Barnum is oft quoted as saying “there’s a sucker born every minute”. Whilst this is difficult to argue against based on the amount of human error involved in cyber attacks, surely it’s time to try a little harder to make the education of those “suckers” (I count myself as one too) more engaging and relevant so as to make awareness more about behavioural change and less about some cookie cutter content that is read/listened to/or watched and then forgotten instantly?