Qualitative risk matrix

Last month we kicked of a blog series on the 4 W's in building an effective awareness program. In the first post we explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. We then started with the WHY part  and then  continued onto  the WHO part. Today we focus on the third  question - WHAT.

WHAT is very simple, what do we want to teach people, what behaviors do we want to change?  This is where a lot of security awareness programs fail, for two reasons.  First, there is no thought put into answering this question.  Organizations simply teach the topic of the day, randomly picking topics that seem interesting, current or what everyone else is talking about.  There has been no effort to determine what are the top human risks to the organization and focus  on mitigating those top risks. The second problem is the security team wants to teach people everything.  Being responsible for security, they want to mitigate every risk possible so they focus on every topic possible.  Here we run into what is called "cognitive overload".  Simply put, you  overwhelm people with so much information that they either forget it all and/or simply do not know what to do.

The key to addressing these issues is teaching  as few topics/behaviors as possible that will eliminate the most risk.  To do that, you first have to know WHO is your target audience.  Once you know whom you are attempting to secure, you can then begin a human risk analysis and determine WHAT are the greatest human risks to your organization.  This can be as simple as going to your Incident Response  team and identifying what were the top incidents as a result of this group (such as phishing, accidental data disclosure, etc). Or it can as in-depth as doing a qualitative or quantitative risk analysis.  Once you identify the top human risks, you have completed only half the battle.  You then have to identify what are the behaviors that you must change to mitigate those risks.  In the world of Instructional Design these behaviors are  called  Learning Objectives. Just like identifying the risks, you need to identify the fewest behaviors that are the most effective in  mitigating the greatest  risk.

Ultimately you want to focus on as few topics/behaviors as possible that will have the greatest impact. Every behavior you add has a cost to your organization.  Every behavior you add brings you one step closer to  "cognitive overload".  Finally the fewer topics/behaviors you target in your program, the more effectively you can reinforce them throughout the year.   You have just discovered one of the biggest challenges in building a successful awareness program.  It's not determining what to teach people, its determining what not to teach people so you can remain focused.  To learn more about planning, maintaining and measuring your awareness program, attend the two day SANS course MGT433.