Let’s Not Be Our Own Worst Security Enemy

If you are like most infosec professionals, you probably have to evaluate the security awareness training program that will be used in your organization. These training programs are important, and more recently, they are required in many regulated organizations. Perhaps your security awareness training is “home grown,” or perhaps you use a training program offered by one of the many third-party training companies. There are many excellent security awareness vendors, and I am not going to endorse any specific product. I find them all worthy of evaluation to see which one fits best with the culture of your organization. Whenever I introduce a training program, I find it surprising that the greatest resistance to the training originates from the IT staff. Why is it that the folks who are responsible for much of the cleanup in the wake of a cybersecurity event seem to treat the training with haughty disdain? In psychology circles, this is a problem known as “availability bias.” The knowledge that we already have available about a topic clouds our judgement. Some of my more zen-minded friends refer to it as the problem of “clarity.” (Those zen masters always have a touch of cynical humor in their observations.) Availability bias occurs when we become so familiar with a subject that we think that we know all there is to know and it no longer merits our strict attention. This problem is not limited to the infosec profession. It happens in all occupations. Unfortunately, this disregard for reinforcement of the basics can sometimes lead to problems. Are you an amateur musician, golfer, chef, or other hobbyist? Think of every teacher or coach from whom you have sought advice about taking your performance to that next level of perfection. They always start with a review of the basics. No matter how much you know, when you take a moment to reconnect with those basic skills, they allow you to better apply your advanced knowledge of the topic. What an oddly cyclical paradox! When you reach a particular area of expertise in a subject, you can usually boast that you have forgotten more than an amateur knows. Perhaps that is the best argument for revisiting those basics. As an information security professional, it is imperative that you understand the security awareness training in which you have asked your colleagues to participate. Moreover, you should be able to recite those basics with the full enthusiasm of a person who is discovering the subject for the first time, and you should be able to teach them in a way that raises the interest of the audience. If you approach the subject with a bored or apathetic attitude, how can you expect your staff to show any respect or concern for your efforts to help them keep your organization safe? Let’s not be our own worst security enemy.