Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows
A practice built on teaching and creating materials based on the art and science of effective communication often leads to discussions about how to build and improve security awareness programs. I start the conversation by first asking, “what does it mean to be aware?”
After a nervous laugh (or two), answers range from blank stares and silence to lengthy lectures with no connection to security awareness. In fact, I had one executive suggest to me that trying to define security awareness was akin to US Supreme Court Justice Potter Stewart attempting to define pornography when he wrote, ” I know it when I see it…“
Clever. Maybe funny. Certainly not true.
The inability to define and explain awareness creates a situation where security awareness is not understood, and therefore not funded. Business has a responsibility to make investments that increase revenue, decrease costs and improve efficacy. A blurry vision for security awareness relegates it to a checkbox on a compliance form, a program tasked to someone without the understanding, experience or support to be successful.
But more importantly, without a clear definition of security awareness, it is impossible to obtain.
It doesn’t have to be this way.
The first step toward building a successful security awareness program is to understand the concept of awareness, how to define security awareness, and how that impacts the business in a way that makes sense to support.
How do others define awareness?
Awareness is not a new concept. Here are three definitions that share common threads, easily applied to the challenge of generating awareness with regards to security and risk:
- Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
- Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
- Marketing is keen on awareness: a measure of respondents’ knowledge of an object or an idea. There are two main measures of awareness: spontaneous (or unaided) and prompted (or aided) awareness.
The common threads with these and other definitions are a sense of individual, recognition of actions and a measurable component related to some sort of message. Also consistent is the notion that awareness can be spontaneous or aided. None of these definitions use the word training. Awareness is awareness (more below), and training is something that comes after awareness. While these are a good starting point to define security awareness, a complete picture considers the underlying challenge of the human paradox gap (for more see: Why people are not the problem).
How The Human Paradox Gap Impacts Security Awareness
When it comes to connecting with people, demonstrating business value, and influencing change, the underlying challenge of The Human Paradox cannot be ignored.
Described in Into the Breach, the Human Paradox is the condition where individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable. The result of The Human Paradox is a gap (explained in the Human Paradox Gap Model).
The implication for security awareness: the more disconnected people are from consequences, the more complicated and costly the effort to reconnect them. Bridging the gap requires an approach that blends an understanding of people (not users!) with effective communication to create the environment for awareness. This means traditional approaches that inflict misguided “training” on people (Memo from employees: educate, but don’t embarrass us) have the adverse effect of disconnecting people further… increasing risk.
Security Awareness Defined
Successful security awareness programs start with an accurate and clear definition. Based on existing definitions of awareness and the impact of the human paradox gap, security awareness is defined as:
Security Awareness: the individual realization of the consequences of actions (with the ability to assess intention and impact)
This definition of security awareness actually shifts the purpose of the program. Separated from security training (the step after awareness), the focus of a security awareness program is to provide people the information and experience to reach the individual realization. Oddly, this makes the task easier, and more challenging; success depends on the ability to properly apply the art and science of effective communication. That means creating the right materials, delivering them in the right way, at the right time, and then working to navigate to mutual understanding.
The Benefit of a Successful Security Awareness Program
Security awareness isn’t a temporary condition, it’s a realization that sets the stage to demonstrate business value and influence behavior change. Of course those benefits come after considering how to structure the security awareness program, implement it successfully and measure the results. When employees are aware, they are able to work to reduce risk. They realize problems sooner, are more comfortable speaking up, speaking out and seeking to partner with the security team. They gain a better sense of the information that influences decisions about risk and share more freely to better the organization. They become more resilient.
The first step is to use the right definition create a vision for what security awareness is, and why it benefits the organization. A small shift with big results.