When trying to communicate the value of security awareness programs to management or other security professional, I find these three points a good starting point.
- First, keep in mind that ultimately security awareness is nothing more then another control. It reduces risk, it does not eliminate it. Anti-virus does not detect all malware, firewalls do not prevent all attacks, IDS does not report all exploits. The reason I bring this up is sometimes people hold security awareness to a different standard. A common example I see brought up is phishing, if you send enough phishing emails in an organization someone will fall victim, thus security awareness programs do not work. Yes it is true, awareness cannot nor will it ever be able to change the behavior of all people. In addition, sooner or later we can all be fooled (including me). However this does not mean security awareness is a failure, this simply means it is no different then any other control.
- Second, by reducing the common day to day human mistakes, you reduce costs and allow your security team to focus on more key issues. Lets take a look at the phishing example again. By reducing the number of people that fall victim to phishing attacks, you reduce costs (just ask your Incident Response team how often they are responding to infected computers). This saves your organization not only response costs, but in addition means more up time for your employees. Even more important, reducing the number of basic or simple infections allows your IR team to shift their focus from rogue anti-virus and infected screensavers to more advanced and dangerous attacks. Stuff your organization really needs to be worried about.
- Finally, and I feel most importantly, people forget that awareness is not just about prevention. Awareness is part of the whole spectrum of security. Once again, lets take phishing as an example. Yes, there is a failure when ten employees click on links in phishing emails. But what happens when one of those ten realizes that something was wrong and then reports the incident to security. Within minutes of a successful attack your security team is able to respond, allowing them to not only mitigate the attack, but review and respond across the entire organization. This can be especially effective in countering more advanced threats, such as APT, which use the human as one of their primary attack vectors.