Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 46

The mark of success for an awareness program is that people change their behaviors as required. For security awareness programs, these behavior changes should provide a return on investment and justify the awareness program, as Chapter 8 discusses in detail.

In short, the ABCs of awareness mandate that awareness influences behavior. Behaviors practiced consistently create the culture. Culture in turn provides awareness and drives behaviors.

The goal is for awareness to influence behavior. Then behaviors, practiced consistently, create a culture (or consistent behaviors practiced across the organization), and in the case of a security awareness program, they create a security culture. Your security culture then helps to drive both awareness and behaviors. Figure 3-1 illustrates this relationship.

FIGURE 3-1: The ABCs of awareness.

Having awareness doesn’t matter if users don’t practice the desired behaviors. Most people know not to reuse passwords across multiple accounts, for example, yet you still face incidents unnecessarily because users reuse their passwords. In 2019, criminals published credentials for more than 3,000 Ring cameras in people’s homes. They were able to hack in and interact with children, using passwords that had been stolen in hacking incidents and then sold on the dark web. Though the passwords were from various websites, attempts to use them to access the cameras were successful because the parents had used the same passwords on the Ring account as they did on other Internet accounts.

If behaviors are consistently poor, the security culture is weak. If senior employees choose not to wear their badges, a new hire walking into the organization will soon stop wearing their badge too, no matter what the awareness posters say.

Have you ever heard someone say that it’s easier to stay in shape than to get in shape? In other words, if you’re already fit, you can just continue to do what you’re doing to stay fit. Otherwise, you have to change and improve something in order to become fit. It’s the same for a security culture: If it’s strong, it’s easier to maintain a strong security culture than to strengthen a weak security culture. Just making people aware of what they should do won’t change their behavior, because the culture reinforces the weak behaviors. You need to consider how to change the culture, and that takes more effort than just attempting to tell people what to do.