Everyone resents being forced to complete mandatory training, especially when they don’t understand why the content is necessary. A large part of our job as security professionals is to ensure that our people understand why they need recurring security training.
I love teaching basic Security Awareness. To be fair, I should love teaching when you consider that’s literally what I get paid to do. In truth, you don’t have to love your job to do it well. I’ve worked with lots of people over the years who were exceptionally competent professionals whose true life passions where about topics unrelated to their occupation (music, art, video games, etc.). For me, though, teaching people about cybersecurity is immensely satisfying.
As an example, we taught a live (that is, an in-person, instructor-led) version of our annual Security Awareness course to a small group of folks last week that wound up going a half-hour over. Once the formal lecture part was finished, the students had tons of questions. My teammate and I stayed after class to answer everything that we could. That experience reminded us that our function really matters; that we’re making a positive impact on the lives of our colleagues.
That’s why I prefer teaching live classes. First, the students get to ask questions on the content they’ve just been taught. Second, we can spend as much time as is needed to ensure that we craft just the right analogies and metaphors to get the core message across such that it’ll be understood and remembered. That last part is often trickier than it sounds.
One of the questions that we regularly receive in our live classes is ‘why do we have to take this class again every year?’ We could simply cite the strategic governance standard.  That’s an accurate answer, but it doesn’t communicate why the standard is necessary. It simply kicks the can down the road and ignores the heart of the question. People can sometimes bristle at being told ‘do this because a rule book said you have to.’ Yet, it is our role to explain the logic and intent that drove the adoption of the standard.
Standards usually exist to help people and organisations avoid repeating known mistakes. Sometimes, fatal or near-fatal mistakes.
It’s important for every new information systems user to receive basic Security Awareness training when they first join the team. A new colleague needs to be oriented to the organisation’s expectations. What are they forbidden to do? Discouraged from doing? Allowed to do only under special circumstances? These are all concepts that users should be taught before they start working so that they don’t accidentally get themselves into trouble. If saving files to a personal flash drive isn’t allowed (for example), tell people that early on. Their last employer might not have cared about removable media, so they never stop to think about the possible security ramifications of doing what they’ve always done.
Put another way: initial training is needed to pre-emptively dispel misconceptions and set the so-called ‘red lines’ on behaviour. People understand that logic. So … why teach people those same initial expectations again a year later? Because people have a natural tendency to forget things over time; especially things that don’t seem directly relevant to their lives. For me, that would be calculus. I don’t remember a darned thing from my university calc class because I never once used it. Lots of folks would say the same about obscure and seemingly arcane security rules. We don’t retain information that we don’t regularly use.
One of the analogies that we used back in the early 2000s was how security knowledge was like an old-fashioned grandfather clock. Taking initial security training was akin to winding the clock up and setting the correct time. As the day progressed, the stored energy from the clock’s springs would slowly run out. The longer you let the clock run without rewinding it, the more likely it was to deviate until it finally ran out of energy and became useless. Therefore, each user needed refresh his or her knowledge on a regular basis to ensure that their behaviour was always appropriate.
The grandfather clock analogy is … okay. It’s fine, but it’s also anachronistic. It’s not terribly motivating now that we all have smartphones, so the very concept of an old-fashioned grandfather clock is no longer relevant. We don’t need a wind-up clock to tell time; we have hundreds of meticulously accurate devices around us 24/7 to handle that chore. Such a clock is, at best, an affectation. A piece of art. We don’t want users thinking about security behaviour as something that has no practical purpose in everyday life.
Most traditional timepieces have changed from functional tools to affectations. Displays of wealth, style, or station rather than useful instruments. Smart phones will probably become the new pocket watches in 10 years when Apple and Microsoft finish deploying device-less Augmented Reality.
Over the last few years, I’ve found that a more useful analogy is to compare security training to maintenance on a ship. When a ship first leaves the builders for the sea, it’s 100% rust-free. Everything on the vessel is brand new, freshly painted, and ready for action. That’s pretty close to how our bright, shiny new employees are when they first get to the company. Eager, prepared, and ready for adventure. As any seasoned sailor will tell you, ships don’t stay rust-free for long. Putting a metal object in salt water means that rust will take hold whenever and wherever it can; it’s inevitable.
A good ship’s captain will make a routine out of regularly inspecting her vessel for signs of rusting, leaks, chipped paint, etc. Every time a defect is discovered, sailors immediately get to fixing it. The more attentive the crew, the more sound and reliable the vessel will be. The thing is, that much attention to preventive maintenance consumes a ton of time and effort. Sometimes more than the crew can commit given that the ship’s primary mission often isn’t to sustain itself. Cruise ships have to entertain passengers, aircraft carriers have to launch and recover planes, and so on.
Companies are a lot like that. Most (if not all) companies are built and run to achieve a business function. Bakeries make and sell bread, banks manage and lend money, and so on. Every person-hour devoted to maintenance is necessary, but it’s also a person-hour taken away from the business’s primary function. There’s a natural tendency in organisations to shift resources away from supporting functions over time … especially when the maintenance that is performed doesn’t detect significant problems.
On a ship, that’s the equivalent of skipping rust inspections. In a business, that’s skipping inspections, monitoring, and training. In both cases, it’s not malicious; it’s a natural pragmatic response to prioritising operations over internal sustainment. On a ship, that neglect usually results in the sudden discovery of a hull breach; rusting metal gives way and seawater rushes in. In a business, that neglect also leads to a breach; corroded security skills lead to a cybercriminal penetrating the network. Instead of seawater, malware rushes in and critical company information rushes out.
In both examples, the most common human reactions are shock, horror, and an irrational disbelief that such a disaster could actually happen.
In both cases, the damage can be catastrophic. With a big enough breach, a ship can sink and a business can fail. After such a disaster – assuming the entity survives – the people in charge always make a concerted effort to ensure that such a disaster never happens again, Awareness is heightened across the community. The pain of the near-sinking is fresh in everyone’s minds. Over time, though, the trauma of the event fades … people come and go … institutional memory fades … and the risk stops seeming like an imminent and existential threat. People forget why vigilance and constant discipline are necessary.
This is why recurring Security Awareness training is necessary. Using the ship analogy, the users’ skills and commitment to follow security protocols make up the integrity of the ship’s hull. The ship will keep sailing safely (so to speak) only so long as the crew takes care to protect and reinforce the integrity of the allegorical hull. That’s why annual re-training is necessary: everyone, at all levels, needs to be reminded of their personal responsibilities when it comes to keeping the company secure.
What analogies do you use to motivate and inspire your people to embrace security education? Leave a comment and start a discussion. We can all use new analogies and metaphors to help reach our people. Maybe the explanation that works best for you will help your colleague across the globe motivate his or her own folks and prevent a breach. Share what you’ve learned about what’s worked well (and what’s flopped!) so that we can all do a better job of connecting with our people. Once users understand why supplemental security training is necessary, they’re far more likely to pay attention and take our messages seriously.
 From NIST SP 800-53 R4, page F-37: AT-2 SECURITY AWARENESS TRAINING. Control: The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users; when required by information system changes; and [annually] thereafter.