“Thinking in the Security Context” — right-sizing Security Awareness Training for your organization.
As a Cyber Security Trainer and Consultant, I am often asked by clients
- “How should I train my employees in Security Awareness?”
- “How much training is enough? or How much training is too little?”
- “Do all my employees require the same amount of training?”
- “How can I ensure my employees consistently behave in a way that protects my organization?
It certainly can seem very daunting and often very confusing to figure out the right approaches for crafting an effective Security Awareness Training program!
In order to shed some light on this dilemma, I created the “Thinking in the Security Context” training model (lovingly referred to as “TISC”).
TISC, is a model to be used by Management and Information Security Managers to help address a few key considerations when implementing Security Awareness Training Programs within their organizations.
Specifically, the model helps to:
- Identify the behaviours, attitudes, and security mindsets you would like your employees to practice on a daily basis;
- Determine the level of training investment that should be made into each employee;
- Align the above considerations based on the employees job function and proximity to the information assets you desire to be protected.
TISC is a model that is divided into 4 mindset or segments, layered on top of an information risk continuum.
Management is responsible for mapping all of their employees (often based on job function, role, and proximity to critical information assets), to one of the mindset segments.
Each segment, builds on the previous segment; so in this regard, the Security Curious mindset establishes the minimum level of security conscious behaviours for the organization.
The TISC model is divided into 4 mindsets, scaling up in expectations and training investments as proximity to sensitive information assets increases (i.e. employees move up through the information risk continuum).
As an example, you might map front-line employees who do not directly interface with critical information assets to the Security Curious mindset. That is, you require them to exhibit a minimum set of behaviours and attitudes toward security of the organization to a level that aligns with their job function and proximity to information assets (some of the desired behaviours are discussed below). This results in an achievable and sustainable amount of security awareness, without over-training and without over-burdening your employees.
As employees scale up along the information risk continuum, the expectations for security conscious behaviours and attitudes compound. As an example, you might have a database administrator who works closely with critical information assets; As one of the last layer of defence, the organization would want this employee to exhibit the top end of the TISC behaviours, and align to the Security Paranoid mindset.
Commensurate with mindset, is an equivalent level of investment into on-going training into various security and technical education programs; after all, how can you expect your organization to be well defended, if those tasked with defending the organization are not provided adequate levels of regular training to stay up to date with the latest threats, technologies and techniques?
THE MINDSETS & DESIRED BEHAVIOURS
- Is taught to think about security in all interactions
- “How could an attacker compromise me?”
- Is suspicious of unsolicited e-mails, attachments
- If it is “too good to be true,” it probably is
- Reports any and all anomalies, no matter how small
- Is wary of the social engineer
- Always is “switched on,” “focused,” and “aware”
- Takes the “curious” mindset further
- Actively takes steps to safely validate
potential threats (e.g., is trained to safely use services like VirusTotal)
- Looks for proof of non-malicious intent; has to be satisfied that the interaction is legitimate
- Verifies “trust” factors; Reviews security certificate authenticity, checks links using url-scanners (e.g. https://global.sitesafety.trendmicro.com/)
- Hangs up and calls back, in order to validate identities and avoid being spoofed
- Not afraid to hit the “pause” button and escalate to supervisor or information security
- Doesn’t automatically trust
- Questions all unknown sources
- Often independently verifies “trusted”
communications out of band
- “Guilty until proven innocent”
- Blacklisted, until Whitelisted
- Healthy connection to reality of today’s threats
- Believes the security of the organization
depends solely on their vigilance
- Has a personal sense of accountability for
organization’s security posture
- Has a very well-tuned “threat meter”
- Keeps abreast of current threats,
vulnerabilities, and exploits (e.g. follows Binni Shah on Twitter)
- Recursively asks “What if” questions … What if this current interaction is really an attacker trying to gain access to my information?
- Takes nothing at face value — ever!
IMPLEMENTING THE MODEL
In order to successfully implement the model, Management must:
- Set expectations for each employee/job role
- Actively communicate the desired behavioural mindset for each employee
- Regularly train and test employees in the desired mindsets/behaviours
- As the Risk Profile increases, dedicate and invest more resources into knowledge, training, and education
- Review and adjust employee mindsets on a regular basis as needed
Ideally, you find this model useful as a starting point to implement and right-size security awareness training in your organization.
Open to your thoughts, suggestions and comments! Which mindset do you exhibit? Leave it in the comments below!
Follow me on Twitter: Red Helix
Excerpts of the TISC model are discussed in Learning Tree International Course 2054: Advanced Persistent Threats authored by Red Helix