Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 13

Just as people get themselves into automobile accidents despite advances in automobile safety, even reasonably aware users may fall victim to cybersecurity attacks. All cybersecurity countermeasures will eventually fail. Countermeasures include encryption, passwords, antivirus software, multifactor authentication, and more. Perfect security doesn’t exist. Your goal in establishing a security awareness program is to reduce risk by influencing user actions.

Don’t expect users to be perfect — risk reduction isn’t about eliminating risk altogether, which is impossible. Expect your security awareness program to reduce the number and severity of incidents, thereby reducing losses from the incidents.

Also, a more aware user knows when something seems wrong and knows how to react to it. If your users sense that they might have been compromised, they start taking actions to mitigate the loss. If they accidentally email sensitive data to the wrong person, they try to stop the message or have it deleted. If they end up on a malicious website that starts serving adware, they disconnect before additional damage can occur. They know how to properly report any and all potential incidents, so your organization can begin to stop any loss or damage in progress. In the worst case, at least they can launch an investigation after the fact to find out what happened.

In the ideal situation, even when a user takes no potentially harmful action, they report the situation to the appropriate party. They report details such as whether someone tried to follow them through a door, even if they turn the person away, because they know that the person might attempt to enter through another door or follow someone else through the door. If someone detects a phishing message, they don’t click on it — instead, they report the message because they realize that other, less aware users may click on it, and then the administrators can delete the message before that happens.

As you can see, awareness requires more than knowing what to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.

The goal for awareness is for users to behave according to policies and procedures. Part of the function of an awareness program is making users aware that bad guys exist and that those bad guys will attempt to do bad things. But awareness programs primarily focus on making people aware of how to behave according to procedures in potentially risky situations.