Security Awareness Series: Part Two – Setting Goals for Your Awareness Program

For part two of the series on running an awareness program I am going to focus on setting goals.

Initially in my plan for the series I had this post listed as ‘selecting topics’. After all, how can you set goals when you don’t even know what messages you are going to be delivering?

On the other hand no matter how good your ideas are, if you don’t give yourself at least one goal then anything you do produce will likely be waffle and FUD.

At the end of the day it is up to you to work out the order in which you do things. We’re all different. Some like to see the big picture first (me) while others prefer to dive in to the details (my wife).

To cater for everyone, I’ve devised a planning sheet which I’ve called a Structured Brainstorm.  An oxymoron I know but the idea is that it gets enough of your ideas down on paper, in a logical way.  From there you can flesh out a formal plan. You should work through the sheet from top to bottom because each section loosely relies on the previous – but again that’s just my opinion. I’ll provide a link to the doc at the end of this post.

There are many reasons to set goals. One of the most useful (IMHO) is to motivate. To be motivational, a goal has to be achievable. It also has to be timely, or not too far in the distant future. (think about the old SMART acronym – Specific, Measurable, Achievable,  Relevant, Timely). Remember also that these goals pertain to a program of work which is to contribute to the security of your organisation, and one which you may be expected to report on regularly.

So what type of goals we should be setting.

Quick, easy win goals could be considered operational goals and might include things like ‘make a poster’ or ‘book a date for some internal advertising’.  They should be things you could achieve within the next two weeks. Don’t worry if you don’t know how to make a poster. I’ll be covering that in another post soon.

Medium term goals are called tactical goals. These might be things like ‘have a regular slot in the corporate newsletter’. They will reflect what your awareness program might look like in the next six months. Try and come up with three good ones and remember that they must be SMART too.

Strategic goals are your long term goals, often related to behavioral outcomes such as ‘all users have strong passwords’. These goals will take time, but are the goals that ultimately prove the worth of the awareness program. That said, these goals are unlikely to be attributable solely to your awareness program. Achieving security is a mix of people, process and technology (all the old clichés are coming out now!)

So we’ve broken the problem down, and we’ve also looked at our goals and organised them also into operational, tactical, and strategic goals.  We’re getting closer to developing a workable plan for our awareness program.

What I suggest you do now is download the brainstorm sheet and have a go at completing it. It’s just below in the Scribd frame.  We haven’t covered all aspects of what is on that sheet yet but you might surprise yourself and come up with a great plan before I even write the next post – where we’ll look at topics.

View this document on Scribd

Don’t Overcook the FUD

Once again Bruce Schneier has lucidly explained one of the security industry’s most troubling aspects. His comments on the CNN website relate to the habit of industry pundits to use worst case scenarios to urge a call to action.

It substitutes imagination for thinking, speculation for risk analysis and fear for reason. It fosters powerlessness and vulnerability and magnifies social paralysis. And it makes us more vulnerable to the effects of terrorism.

And what he doesn’t say but does imply is that it is used by those in the industry to peddle their wares and win/extend contracts.

He’s right of course. I hate the term ‘thought leader’ but if it were to be applied to anyone then Schneier deserves it.  His comments are not new and he’s discussed this before on his website and in his books.

Cormac Herley talked about the same problem in his paper which I’ve discussed before. He says this about security advice:

The advice is offered as protection against worst-case harms, while users care only about average or actual harm.

So what is this ‘average’ or ‘actual’ harm that users care about? And how can we use it as a ‘call to action’ in security awareness programs?

At AusCERT recently I gave a presentation on running a security awareness program.  It was pretty well received I think because I tried to offer practical advice based on experience. But I also wanted give delegates a gentle kick up the backside. I told them that users are not ignorant, lazy, evil or stupid, and that actually most people want to do a good job. This probably sounded strange to a room full of professionals whose entire industry is based on FUD (maybe that’s a little harsh…).

Ok, so given that (most) people are good and want to do a good job, and that they do care about average or actual harm, I propose that security awareness should focus on those things which might impede a person’s ability to do their job well.

Think about what your users care about, and explain to them how good security makes this happen.  Maybe it’s having quick access to customer databases, maybe it’s providing good service to clients, maybe it’s having a reliable mobile network so they can spend more time on the road making money.

Whatever it is, find those strings and pull them. Put the consequences of bad security into a realistic context that your users care about, and don’t overcook the FUD.

More FUD

More FUD toons for your pleasure here: http://fearuncertaintydoubt.wordpress.com/

FUD Security Cartoons

A new blog on WordPress from someone making security cartoons.  Looks like they’re aimed at IT workers.

http://fearuncertaintydoubt.wordpress.com/