Blog: Category - Security Metrics

Okay, this one is for the security community. I'm amazed and stunned how often our community arrogantly blames people for security risks, when it is ourselves that are only to blame. Let's pick on everyone's favorite flogging topic when it comes to people, passwords. You know, the topic where we blame users for being 'stupid' for constantly using such simple and basic passwords. We go through the trouble of teaching people to use long passwords, passphrases when possible, and then wonder why people don't follow our sage advice. We have even created cartoons on this.

Okay, lets say people learn and follow these steps. Now what happens? They can't login anywhere because the

Security awareness has gone through immense changes in the past two years. It has quickly grown from a compliance driven, once a year dreaded event to an engaging solution focused on changing behaviors. Here are the top three indicators a program is truly a 'next generation' awareness program.

1. Behavior: The biggest indicator is the organization's goal. If they are focusing on just compliance, if their program is nothing more than a once a year power point presentation, you have an 'old school' program. It will never have an impact because it was never designed to. Next generation awareness programs are focused from the ground up to change behavior. The organization has done a

Some of you may be familiar with the Critical Security Controls, a consortium of the security community working to identify the top risks to organizations and the controls that mitigate them. One of the top controls (CC #9) identifies the human element. The challenge is this control simply identifies awareness as important, not which human risks should it be addressing. As such a sub-set of this consortium came together to help identify the top human risks, including CMU, Mandiant, Virginia Tech and MITRE. Our findings are very preliminary and we are looking for more data,

Looking to build a new security awareness program that makes a difference? Want to pump up the volume on an existing program and go from just compliance focused to changing behaviors and reducing risk? I'll be teaching SANS two day course MGT 433 "Building a High-Impact Security Awareness Program" on 8/9 March in Orlando, Florida. Don't have the time or budget for travel? Not a problem, attend the class remotely with SANS Simulcast in the comfort of your pajamas. Sign-up now for MGT 433 Simulcast remote

A common misconception I run into with awareness materials is they cannot change behaviors. For example, posters. We released a new security awareness poster called "You Are A Target", which explains to Ordinary Computers Users why they are a target and identifies all the different ways criminals can make money off of you. This is a great way to engage people and help them understand why they need to be secure. However a common reply I get from the technical security community is a single poster is lame, it will never change human behavior. Why do we even bother?

*sigh*, of course a single poster will never change human behavior. Nor will a single newsletter, single video nor a