Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 19

Awareness isn’t a stand-alone program that the security team uses to deal with the user problem, as it’s commonly called. Security awareness is a tactic, not a strategy, used to deal with the user problem.

As I cover in the earlier section “Reducing losses from phishing attacks,” for a phishing attack to exploit your organization, your system first has to receive the email message on your server. Your system then has to process the message and present it to the user. The user has to review the message and decide how to act on the message. If the message contains malware, the system has to allow the malware to install and execute. If the message sends the user to a malicious link, the system has to allow the user to reach the malicious web server. If the user gives up their credentials on a malicious web server, the system then has to allow the malicious party to log in from anywhere in the world.

When a phishing attack succeeds, the user action is just one link in a fairly involved chain that requires failure throughout the entire chain. This statement is true for just about any user action, whether it involves technology or not.

Here are several concepts to consider:

 The user is not the weakest link.

 Awareness addresses one vulnerability among many.

 The user experience can lead the user to make better decisions — or avoid making a decision in the first place.

 Most importantly, to stop the problem, you have to engage and coordinate with other disciplines. See Chapter 5.

Dealing with user-initiated loss (after all, the actions can be either unintentional or malicious) requires a comprehensive strategy to deal with not just the user action but also whatever enables the user to be in the position to create a loss and then to have the loss realized. You can’t blame a user for what is typically, again, a complex set of failures.

Though it’s true that, as an awareness professional, you can just do your job and operate in a vacuum, doing so inevitably leads to failure. It goes against the argument that you deserve more. This doesn’t mean that the failure wouldn’t happen even if everyone cooperated, but operating in a vacuum sends the wrong message.

Awareness isn’t a strategy to mitigate user-initiated loss — it’s a tactic within a larger security strategy.

The security awareness program isn’t the sole effort responsible for mitigating user error. If you say nothing to oppose this idea, you give the impression that you agree with it. Worse, you give the impression that users are responsible for any loss resulting from harmful actions that you already anticipate they will eventually make, such as clicking on a phishing link or accidentally deleting a file.

You have a responsibility to reduce risk by encouraging secure behaviors. But you’re also part of a team and you should work in concert to support that entire security team to reduce loss. In a coordinated cybersecurity department, each team determines their part in reducing losses related to user actions and takes the appropriate actions. Likewise, each team determines how best to support each other in the overall reduction of user-related losses.

As a security awareness professional, you can be the tip of the spear in coordinating a comprehensive solution to reducing user-related losses. Your primary focus is to create behavioral improvements that reduce the initiation of losses.