Awareness – Part 1: Empowering the People
It’s well understood that security is a 3-pronged problem covering people, process and technology. Any solution devised to manage a given information security risk must effectively harmonize the people, the processes and the technologies to optimize the risk response. One of the things that I find interesting is that no matter how sophisticated and robust a technology or process may get in terms of security, there are always rather simple social engineering ploys or innocent human errors that can compromise the integrity or confidentiality of important information. People can, and most often are, the weakest link in the people, process and technology security triangle. We’ve all heard of individuals “lending” their credentials to the trustworthy tech support personnel, leaving behind trade secrets on conference room whiteboards, leaving our computer unlocked when we leave our desk, losing our laptops at the airport, lending our corporate email synchronized smart phones to the stranger in need of a quick 5 min call or clicking “yes” to a download from an internet site that looks so innocent! In fact, users conditioned to click “yes to download” is one of the biggest information security challenges our industry faces today. Malicious software creators exploit this human conditioning to spread malware. Technology is extremely limited in preventing malware from being executed on a machine if the machine administrator explicitly allows it to download and install. Technology’s role in mitigating social engineering risks is an interesting topic and I plan to look at it more detail later.
Because people can be the weakest link to effective security, creating effective security awareness is one of our most important tools to managing information security risk. Our Awareness team, looking exclusively at the people aspect of the solution, is chartered with driving the information to the end-users in an effort to raise security awareness, empower the individuals with knowledge and ultimately drive behavior changes in favor of a more secure posture. Our Awareness efforts can be seen as being driven in two dimensions: breadth campaigns and depth programs.
The breadth campaigns are all about delivering common messaging to the broad set of users across the Microsoft landscape. By their very nature, the messages are meant to be very generic so they resonate across a diverse set of users (roles, culture, skill sets, etc.). Some examples of these types of messages include: what to do when you lose your mobile device, importance of data classification and how to appropriately share information in a given context and handling classified documents in accordance with policy. The challenge with driving breadth campaigns is that you have to keep the message generic so it resonates with a diverse set of users which in turn means it’s not as impactful as a focused message targeting a specific problem space or risk. Breadth campaigns will always have their place (even simply as a support of the “out of sight, out of mind” argument) but the real opportunity to manage information security risk is often times in the depth programs.
A common and highly documented depth-focused security program from Microsoft is SDL or our SDL-aligned version for line-of-business applications SDL-LOB. This is a program focused on a specific risk (vulnerable applications) and a specific audience (developers). So we have awareness efforts around this that are focused on ensuring we are socializing it effectively with the target audience as well as ensuring we have the effective educational elements in place in support of the SDL-LOB process. Other awareness depth programs could include looking at a specific region or a specific business unit where information security risk may have been identified. Ultimately, driving depth-first programs gives us the opportunity to truly contextualize our messaging so its tailor fitted for the audience.
Under our Awareness efforts, whether we are trying to evangelize a message, deliver education or even trying to market a tool, we stay focused on people and ensuring we are being effective in driving the message. At the highest level, it’s all about working across either the breadth or depth domain. Moving forward, in my next post, I’ll dig a little deeper and discuss a little bit about the framework we use to develop these messages and how we ensure that we remain focused on socializing the right message effectively. I’ll then look to discuss a little bit about what we’ve learned from our experiences of doing security awareness and how we are looking to further optimize our programs.
One of the things I’m very excited about this year is that along the lines of sharing a lot of our evangelism work we do under Awareness (through www.msinfosec.com), we’re also looking to potentially package a lot of our Awareness program collateral (print material, online material, learning’s, etc.) and share it with the world.
As always, would love to hear your thoughts either through posting comments or emailing me directly at email@example.com.