Ty Myrddin Home

Raising security awareness


The usual suspects

A lot of funds are spent on security equipment, firewalls, encryption, pentesting, red teaming, you name it. And if someone can walk out the door with files under their arm, or a manager signs off on a control which does not work, or if someone clicks on a link in a phishing email, the keys to the king or queendom may well be within reach of an adversary.

Curiosities, biases, and susceptibilities, can all be potential gateways. The good news is, these very human traits can also be used to improve security.

Confirmation bias can make people assume an attack is done by a specific threat actor. Confirming that looking at alternative scenarios, and actively challenging existing belief systems can work to improve security stances.

Bandwagon bias leads to taking the road traveled by everyone else. How about jumping on the bandwagon of building more diverse teams, fostering critical thinking, and encouraging devil’s advocate perspectives?

Hindsight bias can cause vulnerabilities to remain undiscovered, even with many eyes on the code. When such a vulnerability is found, we can apply hindsight bias to the hindsight bias, and learn about the dangers of this particular bias.

People more and more gather information from reading articles the internet and sharing with colleagues, including on how hackers target cognitive biases. Anchoring bias can cause risks with low likelihood or low impact to be viewed as more likely to happen than they really are in a specific context. Drop the anchor in improving internal communication for determining raw risks and residual risks.

Test driven efforts

There is no way to measure the success of security awareness efforts unless the behaviours that need to change are (continuously) identified.

Measuring raising security awareness success requires building an evaluation framework that uses communication, simulated events, event logging and monitoring, and assessments to test its effectiveness from multiple perspectives. And in organisational contexts, nothing will work if management does not create an environment in which people (can) trust leadership to be learning too.

And then get going making security fun, growing security thinking, care and guts, while tracking progress from currently perceived state to the next desired state.

Hands-on workshops

Learning goes best when it is made fun, takes one day, is done off-site, and includes discussing experiences.

Experiential learning is the process of learning through hands-on experience, building upon what one knows to expand that knowledge into action. It is one of the most beneficial types of learning because one gets out of an experience what one puts in, and allows people to better retain what is learned and can be used for raising awareness.

That which was experienced can not be unexperienced.

Simulations and roleplay

After having done some experiential training, up next could be simulations set up for specific situations in specific contexts of the organisation. This can even go as far as colourful teaming where a red team and blue team play out imaginary attack and defense scenarios.

Human-readable guides

Just like in pentesting, reports and guides have to be adapted for specific audiences, without “talking down”. The term “human-readable” implies information that is meaningful for people and that can be comprehended quickly. I do try.

The very best guides are produced by and for people (in an organisation), after an experience making them the domain experts, after a hands-on exercise, or after a simulation.