Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 33

“Hackers are unstoppable geniuses.”

“There may be computer crimes, but it won’t happen to me.”

“I am too unimportant to be a target.”

These statements represent common mental models that I deal with in security awareness programs, and these mental models are both harmful and wrong.

Mental models reflect the way a person perceives their environment. For example, in most countries, the hot water faucet is on the left and the cold water faucet is on the right. Red usually means something bad or to stop, and green means safe or to go. When I visit a US airport, I expect that flights on a monitor will be listed alphabetically by destination. When I am in Europe or Asia, I generally need to know the departure time before I look on a monitor to find my gate. I can usually pick up a TV remote control and figure out how to turn on and use any TV. You might naturally assume that working with mental models with regard to security awareness would also be useful, but this isn’t the case.

People’s mental models regarding cybersecurity are both inconsistent and frequently wrong. This causes them to make bad decisions. Most computer criminals are opportunists who take advantage of bad cyberhygiene (basic computer practices), such as not installing antimalware software or not performing backups.

Your goal is first to understand the current mental models that serve as a barrier to positive security behaviors within your user base. Then you must create correct mental models to replace them with. You need to instill strong security practices as a habit.

If your users believe that hackers are unstoppable geniuses, you need to talk about how they are frequently caught and how someone in your organization thwarted attacks by practicing what you preach. If they believe it will never happen to them, talk about how the organization suffered attacks. Show people how theoretically unimportant targets were used to gain access to other parties. You need to understand and dispel the harmful mental models, not try to adopt them to your needs.

Chapter 5 discusses getting to know the users, which includes how they perceive security concerns. When you can understand how mental models are failing security awareness efforts, you can start to address them head-on and begin to change perceptions.