Justifying your awareness program can be a challenge, a challenge where you may need multiple methods to demonstrate your program's value. Earlier this week we discussed comparing the resources your organization invests in protecting a standard operating system to the resources it invests in securing the Human operating system (i.e. your employees). Here is a second option, do a root cause analysis of every incident for one month and see what percentage were caused by humans. For example, the vast majority of infected desktops may be due to end users opening infected attachments, visiting malicious websites or using infected USB sticks. An aggressive awareness program can stop these infections where most anti-virus programs fail. Depending on just how far you take this you may find most of your incidents are human related. That SQL injection attack? It was successful because your developers were unaware about basic secure coding practices. That old FTP server that was exploited on your network? Due to unaware IT staff that do not realize the need for patching and upgrading. That social engineering attack on your Help Desk? Due to unaware support personnel.
Start digging and you may find most of your incidents for one month are due not to technical vulnerabilities but ultimately human vulnerabilities.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.