Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 56

Threat is essentially the Who or What that can cause harm, if given the opportunity. Most people think of threats as malicious people. They are clearly threats. However, your awareness program is useful only if you believe that providing guidance to well-meaning users is valuable. And it is valuable, as well-meaning users are a more prominent threat. These people lack malicious intent but take actions that are nonetheless harmful because of ignorance, carelessness, or human error, all of which can be reduced by way of awareness. Well-meaning users cause exponentially more loss in aggregate than the malicious actors. The incidents can be significant, but more frequently the losses involve many small-but-frequent incidents that add up. For example, compromised credentials and lost devices result in losses that aren’t significant individually. However, in aggregate, they add up to major losses.

Do you remember the old term “death by a thousand cuts,” which refers to many small and seemingly inconsequential losses adding up to a major incident? It’s easy to ignore the small losses, but preventing small losses can frequently save an organization more money than preventing a large incident. When you create a security awareness program, you must consider all threats and determine whether the frequency of a small loss becomes worthy of expending limited awareness resources (Chapter 8 discusses this process in greater detail).