One of the advantages working at SANS Institute is being surrounded by literally many of the world leaders in information security. At any time I can tap into a global network of experts, from forensics and malware to risk analysis and ICS attacks. One consistent thing I have learned from these people is you never have the time nor resources to address all of your risks - you must prioritize. When it comes to securing people it is no different. The problem is there is an almost infinite amount of secure behaviors you could focus on, but trying to address all of them simply does not work. People can only remember and do so much, if you overwhelm them they end up forgetting everything, a situation known as cognitive overload. In addition, you and your organization have limited time and resources. As such, you have to identify and prioritize your top human risks and focus on those. Unfortunately, this is something I see few organizations do and a key reason they often fail. Ultimately, whenever you are teaching or reinforcing a topic you should have a reason why.
One approach is to do a human risk analysis. This is similar to a risk analysis any organization would do, however you focus on the human element. A common mistake organization's make when dealing with people is they forget not only is there the deliberate threats, but accidental threats also. Quite often employees do not mean to cause harm, but they email the wrong person with sensitive documents because of auto-complete, or leave their laptop in a taxi. Whenever doing a human risk analysis, its important to take both deliberate and accidental threats into consideration.
Another option is consider the SANS Securing The Human Core library. We know and understand alot of organizations do not have the time nor resources to do a human risk analysis, so we decided to help. We reached out to SANS top instructors and experts and asked them what are the top human risks they see in organizations. In addition we pulled various data sources, to include the Verizon DBIR and Internet Storm Center to better understand risks facing organizations. Based on all this information, we identified the nine most common threats organizations face and created what we call our Core training, which I list below.
- You Are a Target
- Social Engineering
- Email & Messaging
- Social Media
- Mobile Devices
- Data Security / Destruction
Ultimately the key thing to an effective awareness program is not only HOW you communicate it but WHAT you communicate, what secure behaviors you focus on. You want to be sure you prioritize your topics and focus on only those that address your top human risks.