Security news that informs and inspires

Security Education: Running With Scissors


Childhood is a formative time when we are exploring the world and everything seems new. The lessons we learn as children help us gather information for use later in life: the difference between right and wrong, for example. We learn that it is not wise to tug on Superman’s cape, not to spit into the wind avoid pulling the mask off masked stranger and avoid people named James. (Hat tip to Jim Croce).

An important lesson from those early years is something we all take for granted as adults: Don’t run with scissors. When you are young, the ramifications of such actions never really hits the mark, and either through parental teaching or the school of hard knocks we all figure out this one at some point. The point is that we learned the value of this exercise.

So, why do we as security practitioners all too often throw our arms up in despair when the subject of security education inevitably bubbles to the surface? This is one of the difficulties inherent in a maturing industry. There is a fascination to tackle the fun parts of the job but an adverse reaction to the heavy lifting that is necessary to keep the greats moving. If we don’t spread the security message to all aspects of society we are introducing exposures that attackers can leverage to their own nefarious ends.

I was once asked during an interview how I would hack into a certain company. I said, “Oh that’s easy.” They laughed at my reply and asked me to expand. I said, “I’d take the CEO’s admin to lunch.” Based on the response I knew I had rattled their way of looking at the problem they had presented. Attackers will come through your front door until you build a better front door. Then they’ll try the windows and it spirals from there. It is never safe to assume that an attacker will stop because of a certain control that you’ve installed.

The reality is that security is in fact everyone’s job. But let’s be honest with ourselves and ask the hard question: What does that actually mean? Further to that end what does it mean to the rank and file in your organization as it pertains to their daily job? How does your company approach security education?

Most organizations have mandatory security education when an employee starts as a new hire. Did your security education stay with you? Did your training change your behaviors? Have you tried injecting humor into the lessons? There is some basis for my comment.

From the American Psychological Association article, “How laughing leads to learning" in 2006 :

However, a growing body of research suggests that, when used effectively, classroom comedy can improve student performance by reducing anxiety, boosting participation and increasing students' motivation to focus on the material. Moreover, the benefits might not be limited to students: Research suggests that students rate professors who make learning fun significantly higher than others.

You want security education program to be effective. If humor will help with retention it’s something worth considering.

Repetition is often cited as the element to get the message to stick. Marketing folks have their rule of seven that says that a prospect needs to see an advertisement seven times before they make a purchasing decision to buy said product or service. We can make use of this messaging idea to get the security message across to the wider audience. You want your audience to take your training to heart so finding a way to consistently reinforce the message is key. Being able to do this without driving people up a wall is a longer discussion.

When I was young I played a lot of sports. The winning team would get the big trophy. The second place team would get a smaller trophy and the remaining teams would get the participant ribbon. I always loathed those. Nowadays when a lot of organizations deliver security training they allow the employee to print out the certificate of completion. This has always struck me as the redux of that participant badge.

What if you took the training, added in the humor and hammered the message home repeatedly? You would have the makings of a fun and engaging training program that staff want to take part in. Creating an award based system is a great example. Let’s be clear that it doesn’t have to be a monetary reward. It can be a recognition email to peers or a positive email to that person’s direct manager while cc’ing them. Something to provide that positive feedback loop.

The adage that security is everyone’s job is true and not only for the staff. This also applies to the program that is rolled out to deliver the wider message. One can’t simply run a SCORM compliant training program and tick a box that says you’re done. This requires a well thought out program to strengthen security awareness training and help us all learn to stop running with scissors.