1
You Know Why.

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

Bruce Schneier, Secrets & Lies

Ok. So, if you are reading this book, you likely already know why you need it. The world is in desperate need of better equipped security awareness leaders. The headlines and statistics make it clear that security technologies-no matter how good they become-will never be 100 percent effective. Cybercriminals will find gaps and points of ineffectiveness in the technologies and exploit them. It's the age-old arms race.

In that age-old arms race, regardless of if we are talking about computer security or physical security, cunning criminals have realized that they can effectively and reliably bypass an enemy's defensive systems by exploiting vulnerable humans. The main tactic here falls under the simple heading of social engineering: the process of getting someone to believe something, reveal something, or do something that works to further an attacker's goals.

Security professionals are in a quandary. Many of them feel that they could build secure systems if only those pesky end users wouldn't ruin everything. Security teams develop robust policies that clearly define appropriate behavior, but the users don't follow the policies; in fact, they go around the policies.

But there is hope. Our job as security leaders is to deal with these issues head on, and that's where this book comes in. Welcome to the world of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. Over the next couple hundred pages, we'll peer into many fascinating (and sometimes frustrating) aspects of human nature. And we'll discover methods and tactics that we can use to shape the hearts, minds, and actions of our end users.

First, let's set the stage. In this chapter, we'll build the case for why a focused approach to security awareness training is critical for our security programs. This is foundational. You can use the information presented here to justify your investment of time and resources working on end-user training. And it provides enough ammo to shut down any naysayers who might argue that security awareness is a waste of time.

Humans Are the Last Line of Defense

Here's the truth: humans are the most important part of your cybersecurity program. Ignore them at your own peril.

It doesn't matter how much money we spend on technology, planning around human factors must be a critical part of the planning and implementation process. Why? Because humans are involved at every stage of the game.

• Humans determine the need for new technologies.
• Humans determine the need for new processes.
• Humans select the technologies to purchase and implement.
• Humans define process standards to be followed.
• Humans review and tweak the settings of the business technologies purchased.
• Humans review and tweak the settings of the security technologies purchased.
• Humans design and code the applications you develop in-house.
• Humans review the agreements that you have with third-party organizations.
• Humans decide how to respond to suspicious incidents within your organization.
• Humans decide how to respond to someone trying to tailgate into your building.
• Humans make both conscious and unconscious decisions as to how they will react to the systems and information that they interact with each day.
• Humans are your employees, contractors, shareholders, and customers.

Everything and everyone in your organization is impacted by the decisions and behavior of other humans.

There are other dimensions as well. Human behavior can range from negative to neutral to positive. Negative human behavior can be either unintentional (negligent) or intentional (malicious). Similarly, human behavior that is neutral, positive, helpful, or good is either intentional or unconscious. Figure 1.1 illustrates this point and can help you see how human behavior can fall into one of four quadrants, or zones. In Part 3 of this book, I'll propose some strategies for how to work with the types of behaviors associated with each zone in Part 3 of this book.

Figure 1.1: Continuum of behavior from unintentional to intentional with malicious/harmful to beneficial outcomes.

As you think about the continuum of human behavior, slow down for a moment and consider the number of human touchpoints in every part of your organization. I'm sure you can quickly see that we do ourselves a disservice by simply hoping that technology-based systems will ever provide an adequate level of protection. When all other processes, controls, and technologies fail, humans are your last line of defense. What are you doing to equip them to be effective?

Data Breaches Tell the Story

Conduct even a cursory amount of research into the history of data breaches and you'll see the danger posed by human errors. Your users-all your users-contribute to the security posture of your organization. This ranges from the decisions and behaviors of your executive team and board of directors to your general end users to your IT staff and contractors. This isn't just an end-user population problem. It's an everybody problem because it's a human problem. As Walt Kelly, creator of the classic newspaper comic strip Pogo, put it when creating a poster for the first-ever Earth Day observance in 1970, "We have met the enemy and he is us."1

From the issues that we all think about such as clicking a phishing link, falling for more sophisticated social engineering scams, or much more mundane issues such as not securely disposing of documents containing sensitive information, we see that human error leads to data breach. But, here's the problem: as security technologists, we tend to put a disproportionate amount of our messaging and focus around data breaches that occur through technical means. The result can easily be that organizations end up doing a fantastic job helping employees suss out phishing emails but still leave them ignorant and unequipped to make secure decisions across a host of other areas. It's like closing and locking the front door of your house but leaving the garage and back doors open and unlocked. Figure 1.2 provides some examples of both technology-enabled and non-technology-enabled human errors that can lead to security incidents and breaches.

Figure 1.2: Examples of both analog and technology-enabled human errors that lead to security incidents and breaches.

For reference, Table 1.1 shows a quick sampling of some of the major data breaches of the past decade. Because I could fill a book (several books actually) with a listing of data breaches, I'm limiting the list to one significant breach each year.

Table 1.1: Example data breaches and their human factor causes