When Coolio sang these words in “Gangsta’s Paradise,” I doubt that he had information security awareness in mind:
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool
While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training. That point was made eminently clear two decades ago in Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, by Alma Whitten and J. D. Tygar.
In that seminal paper, the authors argued that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants.
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective.
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor.
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program.
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.