Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 18

For your awareness program to help create desired behaviors, the program must show people the proper way to perform job tasks, or “do things right.” In other words, you provide instructions on how to do things properly by default.

When you consider most of the materials produced by vendors, and a great deal of the materials produced by organizations for internal use, these materials frequently focus on the fact that “bad people” intend to trick you. They tell you about criminals who will do harm if you fall for their tricks. This information can provide motivation, which can be worthwhile, but it’s doesn’t show users how to recognize suspicious situations as they encounter them.

When you teach people to focus on the ways bad people will exploit them, the training will fail when the bad people try a different trick. Expecting users to combat well-resourced, highly skilled criminals is a losing proposition. You cannot expect users to be consistently effective in thwarting such parties.

The better approach is for your awareness training to focus on the way that users can do their jobs properly. Ensure that users have an established process that they’re familiar with and that they know how to follow. The process should account for the potential of bad people trying to game the system.

I once worked with a large online gaming company that had problems with criminals calling up the support desk to dupe the support personnel into changing the passwords on specific accounts so that the criminals could go into the accounts and sell the assets. I created a decision tree to authenticate callers. As long as the support personnel followed the provided guidance, no accounts were compromised and no one had to train the support personnel to handle each and every possible scenario that bad people would try. It didn’t matter. We just told them the one way to do their job properly.

Though this strategy may not be feasible in every case, for every job function, your awareness efforts should generally focus on providing guidance in how people should do their jobs properly. This requires embedding security within job functions.

In many cases, you may find detailed procedures already defined but not well known or practiced. In this case, your job is to find those procedures and figure out how best to translate them into practice.