Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 41

The greatest criticism I seem to hear about security awareness is that it’s all common sense. It’s common sense to know not to click on certain emails. It’s common sense to know that the tax service won’t call you to persuade you to give them a credit card number to pay a bill immediately. And so on. Going back to my psychology lessons, the response that comes to mind is this: “You can’t have common sense without common knowledge.” To a large extent, security awareness is about creating common knowledge (stuff that everyone truly knows) so that users can exercise common sense (perceived good judgment in practical matters).

People within an organization generally assume that what is common sense for them is common sense for everyone. But within the group, people often lack the common knowledge required to share common sense understanding.

Common sense is based on common knowledge. You can’t have common sense without first establishing common knowledge.

In cybersecurity, people without a technical background definitely lack the knowledge that people within the IT or security professions possess. You need to account for this fact when building your assumptions. You must understand where common knowledge does (and does not) exist among the individuals within the group whose behavior you want to influence.

When you approach the design of your awareness programs, ask yourself, “Is this fact or idea common knowledge, and should it be?”

Be sure to consider whether users lack the common knowledge required to act on your recommendations. Security awareness programs often tell users to create strong passwords, for example, or to check the identity of the sender for the email messages they receive. Even though most awareness communications require concise messaging, you must consider whether you must back up such guidance with instruction. If users don’t know how to create a strong password or how to adequately verify the identity of an email’s sender, the higher-level guidance is worthless. You must establish a base of common knowledge before you can require the common sense behavior.

Company leaders sometimes assume that technical workers, including security team members, have more common sense than the average users. In my experience, this assumption is often incorrect. A common tactic used by cyberthieves, for example, is to pretend to be another person, call an organization’s Help desk, and persuade an unwitting Help desk representative to reset that person’s password. As a test, I have personally convinced a Help desk rep within one of my targeted companies to send me a new computer during a social engineering exercise. During physical penetration tests, I frequently just walk into the security office and persuade the employees to issue me an actual facility badge.

Unless you know that a person in a given job function receives fundamental training that enables them to act on your guidance, you should assume that they lack the necessary common knowledge. This assumption should be embedded in every aspect of your awareness program, where you consider whether users have the underlying knowledge to enact the information you provide. You probably can’t include every basic concept into awareness materials, but you need to design your messaging to accommodate a lack of common knowledge.

If you need to provide more detailed information than you can provide in a given communications medium, you might want to link to or refer to a more detailed information source, such as the knowledgebase I describe in Chapter 7. This way, you can provide your intended message and ensure that common knowledge is available.