Security Awareness Design in the New Normal Age
eBook - ePub

Security Awareness Design in the New Normal Age

  1. 128 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Security Awareness Design in the New Normal Age

About this book

People working in our cyber world have access to a wide range of information including sensitive personal or corporate information which increases the risk to it. One of the aspects of the protection of this data is to train the user to behave more securely. This means that every person who handles sensitive information, their own or that of other people, be aware of the risks that their use can pose as well as how to do their job in such a way as to reduce that risk.

The approach we use for that is called 'Security awareness' but would be more accurately described as security 'un-awareness' because most of the problems come where the user doesn't know about a risk from their behaviour, or its potential impact. In these post COVID days of 'New Normal' working, in which staff spend more of their time working at home, organisations are still responsible for the protection of sensitive personal and corporate data. This means that it is more important than ever to create an effective security awareness communication process.

This book will primarily consider the problem of hitting that 'Sweet Spot' in the age of 'New Normal' working, which means that the knowledge about secure practice is not only understood and remembered, but also reliably put into practice – even when a person is working alone. This will be informed by academic research as well as experience, both my own and learnt from my fellow professionals, and then will be used to demonstrate how 'New Normal' working can improve security awareness as well as challenge it.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
CRC Press
Year
2022
eBook ISBN
9781000612790
Topic
Ciencia de la computación
Subtopic
Arquitectura general

1What Is Security Awareness and Why Should You Care?

DOI: 10.1201/9781003194583-2

Introduction

The word ‘holistic’ is one that is commonly used these days, especially in relation to approaches to healthcare. However, we can also use it to understand a wide range of awareness and behaviour, both on a computer and off that impacts the protection of data. In short, security awareness should be part of a holistic understanding of Information and Cyber Security, not a poor cousin that is relegated as less important, until a situation occurs where greater awareness could have protected or mitigated the impact. As someone who came into the profession via interest in security awareness, I have been cheered to see a growth in its incorporation into more mainstream information security.
That said, I think it is important to use this first chapter to both explain security awareness and consider where it fits with operational practices in organisations before we move on to look at the impact of working through COVID times has made. In doing so, I will also share some examples of where incidents, some well-known in the public domain, have demonstrated where relatively straightforward raising of security awareness would clearly reduce some significant, and in one case, very embarrassing impacts.
While much of this book is going to focus on the future, and how individuals and organisations can act now to become increasingly secure as time goes on, we need to understand where we came from if we are going to map out our route to security awareness moving forward.
Let’s start by talking about what we mean when we talk about security awareness.
First and foremost, we should acknowledge that ‘security awareness’ is a bit of a misnomer. It doesn’t accurately describe what we’re talking about, or even what we’re trying to do.
Start with the word ‘security,’ for example. This is a strong, concrete word that sends a clear message: after all to be secure is to be in a place of protection, often behind defences designed to keep threats at bay. It conjures images of strong walls and deep hidden vaults, dedicated to protecting valuable things. This makes sense to us as we think about the information we store. If data is precious, we think, then of course we should, to borrow a phrase, “keep it secret, keep it safe”.
So, what about ‘awareness’? Why do we need to be aware of security? After all, strong walls and deep vaults don’t need our constant attention to be secure! I think about this often and wonder what people think security professionals mean when we say they need to be aware of information security. Do they think we’re asking them to know who manages information security in their business, or know that information needs to be secure? Or do they think about their role in security as a process? After all, neither walls nor vaults can protect against threats if they are left open. Precious things might stop being safe, if they are not kept secret – and who knows what long road may lie ahead to fix a problem brought about by indiscretion. It reminds me of the Second World War adage; ‘loose lips sink ships’, because while the scale is different, the principle remains the same.
This is why security awareness needs to include an awareness of why a secure process is required in the first place. The “why” is important. I often find myself thinking about my children when I present this concept, drawn back into my memories of the toddler years where every other word out of their mouth seemed to be “why”. Why was the response to every instruction, every statement and every event large or small – whether I was prepared to answer it or not? Understanding the reasoning behind a rule can help children understand why it exists and help them to remember to do (or not do!) something whether their parent is in the room or not. Without the ‘why’, children can’t learn that they just shouldn’t do this thing or say that thing in front of a particular person, rather than that they shouldn’t do or say something in general. The same logic applies with security awareness – without understanding the ‘why’ of a particular policy or practice, staff may choose to ignore it as long as they’re out of sight, presenting a security risk in the process. This is even more important to think about now so many of us are working remotely, or in blended pattern, where we are often ‘out of sight’.
This doesn’t mean that the “why” questions around our security practices will always be comfortable or easy to answer. In fact, “why?” is one of the most difficult questions to prepare for, especially when we are trying to get people to change their behaviour, but we shut down that conversation at our peril. It is the why that helps staff understand the importance of their behaviour, and sometimes, the why that makes us think again about our own security practices by prompting us to think about something from a new, and unanticipated, angle.
So, making staff aware of security means not only educating them about the kinds of security in place but their role in it. There is no use in providing half of the information when people need to understand the why as well as the what. They need to understand the risk or threat and what they must do to recognise how important their own actions are in maintaining that security. This is traditionally achieved through formal, scheduled training: where a designated person takes on the role of communicating important rules and guidelines to staff in order to inform and empower them to work in a way that protects sensitive information. But this overt training isn’t the only option available, and there are several techniques that organisations can use to nudge, prompt or remind people to behave in the right way without interrupting their daily workflow. We’ll talk about some of these techniques in later chapters.
So, security awareness is about understanding that a threat or risk exists, knowing that there are steps that a person can take to help protect sensitive information and systems, and putting that knowledge into practice. Laying it out this way makes security awareness sound simple, or at least straightforward; identify a threat and build a defence to counter it, but things are rarely so clean in the real world. The fact you are reading in this book means you probably already know that. So what’s the problem? Why isn’t security awareness as straightforward in practice as it is in theory? One reason is the hidden complexity that hides between the steps of “identify the threat” and “the person takes preventive action”. Because, in fact, the sequence of events includes the identification of the threat, designing the defence, motivating the defender, and that defender acting to mitigate potential security risks.

Practicality

An effective security campaign or procedure is one that accounts for the day-to-day working practices and behaviours of the people it is trying to influence. Indeed, we often see this as a key failing when looking at unsuccessful initiatives after the fact, as we realise that the proposed solution unintentionally added stress or burden onto the people who were required to implement it. This additional level of burden can then lead to people ignoring or avoiding the new, more secure practices, as they actively get in the way of their ability to complete their work and meet their targets.

Example

In the early 2010s, an NHS Health Board raised concerns regarding the security of paper-based patient records when nurses were visiting patients in the community. There was a concern that taking patient records into the community might lead to a healthcare practitioner leaving sensitive documents behind after a visit, resulting in unauthorised people having access to sensitive information.
Several potential solutions were considered. One proposal suggested that staff should simply leave all documentation that was not relevant to a particular visit locked in their car. This then led to the concern of the data being lost or leaked if the car should be stolen while the healthcare practitioner was visiting a patient. This is a valid concern, as it doesn’t matter whether getting access to the documents was on the mind of the thief when they stole the car, it only matters that stealing the car would result in the loss of that information.
With this in mind, the Health Board took the suggestion a step further, and redesigned the process to ensure that practitioners only ever carried the files of the patient they were visiting at any time. All other files would remain in that practitioner’s central hub. This appeared to solve the problem entirely, as no papers would be left unattended in a car (and thus potentially stolen), and the patient would only have access to their own records should any paperwork be forgotten or left behind by the healthcare practitioner after the visit.
What this proposal didn’t consider was the practical implications of this solution. To work ‘securely’ under these new procedures, healthcare practitioners would have to return to their central hub between every patient visit, to return the files of the patient they had just seen and collect the paperwork for their next visit. In practice, this could have a significant effect on workflow, especially if the community being served was rural or widespread, with patients living further away from the central hub. This could be particularly frustrating when healthcare practitioners were visiting several patients in the same location, such as in a nursing home, as they would have to leave and return to the same location multiple times to comply with the new procedure. More time being spent in transit meant that healthcare practitioners would have to spend less time with each patient or visit less frequently to make up for the lost time.
Ultimately, these solutions were considered unworkable, and the risk was flagged as an ongoing issue, with the task of risk mitigation being delegated to the different surgeries, hubs, and practitioners to allow a tailored solution that worked for their situation.
This example allows us to see the importance of creating security practices and solutions that recognise the practical day-to-day aspects of an organisation that are sensitive to the resources available at the time. For instance, the earlier example has long since been improved, as paper records were replaced by digital records, which allows healthcare practitioners to have access to a range of patient files using their mobile device – so the risk of files being left anywhere is no more. Yet, with this advancement comes new concerns about device security, encryption and shoulder surfing, and so the process of threat recognition, defence design, motivation and secure practices continues.

Insecurity Awareness

So why did I say that security awareness was a misnomer and doesn’t reflect the issues at hand? After all, don’t we want staff to be aware of security processes, follow them and thereby protect data? Well, of course we do, but I would argue that many issues around information security occur not when individuals fail to be aware of the security procedures in place but when they fail to recognise moments of insecurity. Becoming aware of areas of insecurity is a vital step in making information more secure. Staff need to recognise not only the procedures in place but the world of potential risks to data and, importantly, an absence of security measures to counter them. In short, we need ‘insecurity awareness’.

Human Insecurity Awareness and the Media

The thing is that insecurity awareness isn’t as difficult to spread as you might think. Long ago, in the misty days of 2008, a series of news stories in the UK elevated information security to the general public consciousness. No longer was the only risk to information some strange techno-magic devised in dark corners by illusive hackers wearing black hoodies and typing inexplicably quickly. Instead, the public became aware of the risk associated with human action or inaction.

Example

On 18 October 2007, Her Majesty’s Revenue and Customs Office (HMRC) received a legitimate request for information about the recipients of child benefits. This request included, but was not limited to, the names and addresses of everyone in receipt of that benefit. This information was collected was burned onto two CDs, which were then sealed in an envelope and sent by unrecorded internal mail to the National Audit Office.
On 24 October the National Audit Office complained that the HMRC had not responded to their request as no data had arrived. It seems likely that what followed was a period of some panic. An enquiry was formed, reviewing everything from whether the discs had indeed been burned as stated, to a physical check of every building that the discs would have passed through. Cupboards and filing cabinets were searched, as the efforts to locate the discs moved beyond the HMRC offices, to the post office centres that might have handled the envelope, and beyond.
The search was unsuccessful, for while the enquiry could show that the discs had indeed been created, and that they had been prepared for posting, their whereabouts after this point were unknown. The error was not with the HMRC, but somewhere on the journey between the HMRC and the National Audit Office. The Chancellor of the Exchequer was briefed of the data loss on November 10th, and what followed was a wealth of news coverage about the most famous and widespread data security leak in the UK up to that point. After all, child benefit was not means tested in 2011, and the discs therefore contained the names and addresses of almost every child under the age of 18 in the UK. There were additional fears, too, as the bank details of many families had been recorded on those discs, where those families had chosen to receive child benefit straight into an account rather than through other means.
The media coverage that followed leak was widespread, and every affected home in the country received a letter from the government explaining the events. And thus, almost overnight, approximately 25 million people in the UK learned how easy it was for their data to become compromised through the actions of people they didn’t know and would never meet.
With data loss the focus of the moment, journalists began to search for more examples of data leaks caused by human error. After all, there was little hay to be made of an anonymous hacker, working in complex and mysterious ways half a world away – but a human assisted data leak, that had potential. Human assisted data loss could have a name, and an opportunity to assign blame and seek justice. Suddenly, the abstract concept of ‘data loss’ could have a face.
Examples like these may seem obvious in hindsight, but it is important that human-assisted data loss is not just about making careless mistakes, like leaving a laptop on a train or sending sensitive information to the wrong person. In fact, many instances of this type of data loss occur simply because no one has ever considered the potential threat before. Consider, for example, the case of a UK bank upgrading their computers in 2008 and passing their old machines to a third party for secure disposal, only for those same...

Table of contents

  1. Cover
  2. Half Title
  3. Title
  4. Copyright
  5. Contents
  6. Acknowledgement
  7. Introduction
  8. Chapter 1 What Is Security Awareness and Why Should You Care?
  9. Chapter 2 Security Awareness and Protecting Information Through History
  10. Chapter 3 The Challenges of Communicating About Security Awareness
  11. Chapter 4 Taking on an Invisible Threat
  12. Chapter 5 Turning ‘Behavioural Intent’ Into Habitual Behaviour
  13. Chapter 6 The Challenges of the COVID Years and the ‘New Normal’
  14. Chapter 7 Security Awareness Programs and Mental Health in the ‘New Normal Age’
  15. Chapter 8 Looking Back at the Start of ‘New Normal’ Working: A Case Study
  16. Chapter 9 Carrying Forward the Loot From the Hard-Fought Battle
  17. Chapter 10 “They Think It’s All Over …”
  18. Index

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Security Awareness Design in the New Normal Age by Wendy F. Goucher in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Arquitectura general. We have over 1.5 million books available in our catalogue for you to explore.