Cybersecurity Culture Training vs. Cybersecurity Awareness Training
I've worked on cybersecurity awareness for years. But it's a term I really don't like. It's not that I don't like the concept, it's more that the phrase tends to lean toward just making people know it exists. It often focuses on phishing, but at a very basic level. Then many of us in the cybersecurity field complain that the users of IT are always falling for phishing messages. Of course they are!
Phishing is getting harder to detect. First, phishers are getting more sophisticated. Yes, we do have folks that still fall for poorly written phishing emails. But we need to remember that it's easy because we're experts, or at least working toward expertise. Most users are fledgling learners, and often resistant ones at that. And phishing is becoming more advanced. I honestly think large language models like Google's Bard and OpenAI's ChatGPT will make it worse. As an example, the below was generated by ChatGPT using a very basic prompt. With better-engineered prompting and a more specific language database behind it, an LLM will probably be able to generate even more convincing emails. (this one is a bit formal, so hopefully, that would trigger suspicion, but that's highlighting some flaws in training when users fall for it)
With a small amount of engineering, the below is perhaps mildly better, and at least less formal. Certainly, if your Sys Admin is a fun-loving personality, this might come across as valid.
It's a team sport. But large language models and cybersecurity are topics for another time. This is about culture. Culture is about shared beliefs and behaviors, which is far more powerful than just foundational awareness. And most cybersecurity training for non-cybersecurity professionals tends to scratch the surface of showing what phishing might look like, and then it ends. And maybe we do it again later. But it's not driving useful behaviors. A useful behavior is knowing that the cybersecurity team, whether that's a system admin or a full-fledged SOC, is on their side. It's knowing that any user can ask if a message is phishing as soon as there's anything suspicious. And that the security team will respond in a positive, supportive way. That can be a burden on the security team, but it's almost always less of a burden than handling the incident when security fails.
Teaching as part of a culture. That's the next important point in culture. While we certainly aren't looking for failure, the reality is that any organization that is in any way targeted will likely be breached at some point. And untargeted organizations aren't immune either. So we can't look at security as unbreakable. Very few people intend to fail. Those are usually what we refer to as the insider threat. And that's a hard topic for another posting. Punishment is valuable for intentional actions, but anyone subscribing to the organizational culture of security will gain more from education and less from punishment. Especially when our current training, on average, is horrible. It's akin to punishing a fourth grader for failing a calculus exam even though you gave them the calculus textbook. Calculus is essentially a new language for them and a challenging one. Cybersecurity has its own language, which is also challenging for non-IT folks. You're destined for failure if the security team doesn't see themselves as teachers. Teaching helps develops a culture where the organization works as a team and users don't feel alone, especially after being told that users are the weakest point in a cybersecurity perimeter and that they will likely miss something.
So what do we do about it? Make security part of the organizational culture rather than an add-on. There shouldn't be organizational culture and cybersecurity awareness training. Yes, making it part of the organizational culture does require buy-in from leadership and strong support from the IT/security team. So it's easier said than done. But incident response is easier said than done, too. And the loss of intellectual property, sensitive data, or revenue is what we're trying to avoid. Don't read a page from the textbook, then expect perfection on the exam. Instead, focus less on teaching the exam and more on working together as a team.