Carlo Rossi, CISA, CISM, CGEIT, ISO 27001 LA
Whenever an information system is deployed in production, the information security concept will be stretched, as it will encounter its most dangerous and unconscious enemy: the user. Human beings have been able to step on the moon and defeat many invisible and terrible diseases, but they have not been able to keep users from proactively and unwittingly damaging information systems.
IT departments have been aware of the problem for many years, and their worries are increasing year after year as the Internet spreads its functions, opportunities and threats all over the world in big and small companies as well as in private homes. Information security awareness training courses are delivered every day in many companies, yet the results are often not as good as expected. Even very intensive training programs do not provide long-lasting results, and information security human-behavior-related issues strike back just months after training is completed.1 Why is that? Are users really that unaware of the problems they cause?
In general, users are not fully aware of the many dangerous consequences the wrong click of a mouse on a certain link, file or virtual button may have on the information systems they use (whether a PC, tablet or other device). Most of the time, they cannot be blamed for not knowing something no one has told them about or that, if told, was not explained in a comprehensible way.2 But, what can be done other than training users on information-security-related issues? Try to train them better, obviously.
It is proven and well known among scientists who study the human brain that humans tend to be easily distracted3 when listening to lectures. Therefore, it is easy to see how nontechnically skilled users may not fully understand when technical information is presented with a purely technical profile. IT people tend to use acronyms and technical terms that they think should be well known to everyone on the planet, when in fact those terms are used only among IT professionals. In short, users cannot be expected to understand or remember what a firewall is if an IT professional tells them that a firewall is “…a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.” The average user cannot be expected to understand IT terminology. Why not? Because all that technical stuff is just boring to them.
IT users need to be familiar with the features of the IT systems in order to perform their jobs, but they do not need to know more than that. Very often, they do not have the technical skills to know more than that. So why do we expect them to understand the technical jargon?
And, accepting that IT often does not talk to IT users in a way that is comprehensible to them, how should IT talk to users when training them on information security?
Yes, emotions are key. Studies from many universities around the world, such as Stanford University (California, USA), show that emotions are the key to decision making in humans, and “to click or not to click” is a decision that the user is required to make many times during each work day.4 Any click of the mouse is a decision that may lead to, for example, the download of a virus on the PC/device or the disclosure of confidential information. It is important to understand how the human brain makes decisions in order to help users avoid unconscious and dangerous clicks on their keyboards.
The human brain is the most ancient tool available in the modern world, and it still works according to the same pattern that allowed all of us to evolve from a tiger-escaping animal to a sophisticated biological machine that has been able to change the world in ways that are impossible to imagine for any other living species.
Studying patients with severe brain damage over more than 150 years, starting with the famous Phineas Gage incident5 back in 1848, it has been possible for scientists to clearly identify a correlation between the impossibility to make decisions and brain damage in the prefrontal cortex (PFC), the area of the brain where emotions are created and perceived. The PFC is the anterior part of the frontal lobes of the brain, lying in front of the motor and premotor areas. This brain region has been implicated in planning complex cognitive behaviors, personality expression, decision making and moderating correct social behavior. The basic activity of this region is considered to be the orchestration of thoughts and actions in accordance with internal goals.
To make a long story short, when a choice like the one referred to in this article—to click or not to click—needs to be made, the brain makes a quick calculation of the reward it will receive in terms of the amount of dopamine potentially arriving into the frontal lobes. The more dopamine expected in return for choosing an option, the more likely that option will be chosen. But, what is dopamine?
Dopamine is a neurotransmitter with many functions, including important roles in behavior and cognition, voluntary movement, motivation, punishment and reward, inhibition of prolactin production (involved in lactation and sexual gratification), sleep, mood, attention, working memory, and learning. The more dopamine in the brain, the better the person feels; therefore, the brain chooses the higher dopamine-producing options as most favorable.
But, what type of calculation is the brain doing to arrive at this decision? The precise reasoning is unknown; nevertheless, it appears that the brain projects the possible outcomes using memory to recall similar situations, the left hemisphere and other regions to calculate the potential implications of the possible outcomes, and emotions to perceive how good the response to that outcome could be. Once the calculation is complete, the choice is made, and, in some cases, danger results.
Paying some attention to the above pattern, it is easy to understand where the security problem may come from. One can imagine how an email pretending to introduce the user to a free pornographic web site, a beautiful slideshow full of heart-filling images and messages, a huge amount of money, or a big discount on normally expensive products or services may result in high dopamine-level calculations, especially if one cannot see how this could possibly affect the security of the information system.
Obviously users do not need special skills to understand the content of the email messages, but they may need further information to detect what is behind the message and to make a safe choice. What can be done to evoke the emotions needed to make that safe choice?
In developing information security awareness training programs, questions such as the following need to be addressed: What is the technical skill of the users being trained? While carrying out the activities of their jobs (the ones for which they need to use an IT system), what kind of non-IT tools do they use? Do users participate in any officially approved social activities (e.g., bowling teams, movie clubs) in the company? Are they parents/grandparents? Is there a major attraction in their hometown such a local baseball team or a national association of volunteers?
Once this information is clear, the IT security professional can start thinking about the message in technical terms; the output needs to be as specific as possible at this stage. The main goal at this point is to determine what the IT security professional would like them to learn.
After completing the list, it may look something like this:
It is best not to exceed 15 items in a single learning day. If more than 15 items are on the list, it may be necessary to split the training into more than one day. In some cases, it may be useful to add something on the history of hacking for beginners to begin the training day; it may help make the users more comfortable with the topics.
Now begins the fun part for the trainer. It is time to translate what can be boring learning subjects into fun and interesting ones. The only limit is one’s imagination. There isn’t a single methodology for this, and the target may vary a lot from company to company and from audience to audience, but it can be fun to translate technical issues into more understandable explanations.
What the trainer needs to do is take the slideshow and turn it into an experience for the users—give them images, movie clips, interactive games and examples, real-life snapshots.
It is common to integrate slides with classroom games, movie snapshots and a lot of images rather than just graphs or pure data. An interactive presentation will be remembered more easily than just words. One third of the brain’s external cortex is purely dedicated to image analysis; therefore, the brain may recall images more easily than words.
While preparing the presentation’s contents, the trainer should remember that users use IT in their private lives as well, which means that they may have children who will access the Internet, and frequently parents are not IT-skilled enough to understand what can be dangerous and what is safe within a specific user’s behavior. If the trainer can add practical issues to the training that the users can implement in their private lives, this can go a long way toward building a relationship with the users. Another tip to make the training even more engaging is to add a game with prizes. The prizes can be for the best answers given in the test, for example.
Once the training program is ready, the next step is to sell it to the chief executive officer (CEO). CEOs generally like to see return on investments rather than costs. Therefore, it can be helpful to make a business case, including a complete ROI analysis of the project, for the information security awareness program. Benchmarks can be retrieved from the service desk and should include the number of security-related calls or, better, the total number of hours spent blocking incidents, and how this elapsed time can be reduced by providing the users information to be used during normal operations. The gap between what is recorded in the service desk report in terms of hours of work time lost due to information-security- related incidents and the target reduction of that lost work time as a result of the training program is the revenue side of the ROI for the training. The HR department could easily complete the information with an average hourly cost within the company to provide a monetary ROI in the business case.
How does the trainer know if the training has worked for the betterment of the organization? One can wait for the service desk calls to decrease (or not), or one can try to set a faster method to measure success or a faster way to know if some change needs to be implemented in the training program. This can be accomplished by providing a feedback form, either in hard copy or electronic format, at the end of the training. Questions on the feedback form should be kept to no more than six to eight, and an easy-to-answer scale should be provided. This will help the trainer understand how the training was received.
A further level of visibility can be gained using exams at the beginning and at the end of the training program. The gap in the average number of right answers from the entering exam to the exit exam is the measure of how effectively the participants learned.
As with any other process, training should be ongoing; therefore, once the first round of training has been completed, a knowledge maintenance program should be defined and deployed so the positive outcomes can last over time.
Information security awareness is a team sport played without spectators; therefore, training should be fun for participants.
1 This statement is based on the experiences of IT directors as relayed to the author.2 This is based on the results of anonymous assessment tests the author delivers while preparing information security programs.3 Medina, John J.; Brain Rules, www.brainrules.net4 Shiv, Baba; The Frinky Science of the Mind, Stanford Graduate School of Business5 Twomey, Steve; “Phineas Gage: Neuroscience’s Most Famous Patient,” Smithsonian, January 2010, www.smithsonianmag.com/history-archaeology/Phineas-Gage-Neurosciences-Most-Famous-Patient.html
Carlo Rossi, CISA, CISM, CGEIT, ISO 27001 LA, is managing partner and cofounder at CRConsultingnet Srl (Italy). His specialties are information security awareness programs, data privacy protection programs, and IT governance training and consulting. He is a member of the ISACA Rome (Italy) Chapter, the European Network and Information Security Agency (ENISA) Awareness Raising Community, and the System Dynamics Italia Chapter (SYDIC) of the System Dynamics Society.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.