One way to determine the maturity of an organization’s security awareness program is to ask, “What secure behaviors are you teaching and why?” Immature awareness programs randomly pick certain behaviors and take an ad-hoc, primarily compliance-driven approach. However, organizations that effectively manage humans first begin by identifying their top human risks and focusing on the behaviors that manage those risks. Why? Because these organizations know that every new behavior you add has a cost to the organization. Costs include the following:
- The “human operating system” is a powerful one with a tremendous number of features; however, remembering lots of new information is not one of them. You can quickly overwhelm people with new information, a situation called “cognitive overload.” By focusing on as few behaviors as possible, you are more likely to change those behaviors.
- Organizations exist to accomplish things. Every new secure behavior you add can potentially slow down or take away from people’s ability to get their jobs done. A new behavior that only takes two minutes of someone’s time per day may not sound like a big deal, but when you multiply that by every employee every day, the costs quickly add up.
Which brings me to passwords: I can’t think of a single security topic that has more confusing and overwhelming behaviors. We in the security world love to make fun of people who can’t get passwords right, and yet we overwhelm them with a list of tasks, such as always use upper- and lowercase letters, numbers and symbols, use a unique password for every account, create passwords that are at least 12 characters long and then, for good measure, add the blood of a virgin. Oh, and then everyone’s favorite rule, do it again every 90 days just for fun.
Sigh. Could we fail our community any more? Could we make passwords any more difficult for people? How can we make passwords simple and effective for everyone? How can we reduce the behaviors involved while still managing the human risk? This is why I’m so excited about the National Cyber Security Alliance’s campaign to encourage everyone to turn on multi-factor authentication. Enabling strong authentication is an effective way to truly secure people’s accounts and also keep them simple.
Instead of overwhelming people with the idea of the perfect password (there is no such thing, by the way), we assume that good passwords are difficult for people. In addition, we should understand that even if you have strong passwords, they still may be compromised (through cybercriminals’ use of keystroke loggers, phishing and other methods). Turning on multi-factor authentication is a simple behavior that can address multiple issues. Even better, people can easily adopt the same behavior both at work and at home.
Every time your organization wants to add a new behavior, first ask why. Yes, you may be reducing some risk in the short term, but the overall cost may be far greater. Focus on the fewest behaviors that will have the greatest impact, and then you will truly be managing human risk.
About the Author
Lance Spitzner, director of SANS Securing The Human, has more than 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and published three security books. Lance has worked and consulted in over 25 countries and helped over 350 organizations plan, maintain and measure their security awareness programs. In addition, Lance is a member of NCSA’s Board of Directors, a frequent presenter and a serial tweeter (@lspitzner) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army’s Rapid Deployment Force and earned his master’s in business administration from the University of Illinois.