Cybersecurity Culture Training vs. Cybersecurity Awareness Training

I've worked on cybersecurity awareness for years. But it's a term I really don't like. It's not that I don't like the concept, it's more that the phrase tends to lean toward just making people know it exists. It often focuses on phishing, but at a very basic level. Then many of us in the cybersecurity field complain that the users of IT are always falling for phishing messages. Of course they are! 

Phishing is getting harder to detect. First, phishers are getting more sophisticated. Yes, we do have folks that still fall for poorly written phishing emails. But we need to remember that it's easy because we're experts, or at least working toward expertise. Most users are fledgling learners, and often resistant ones at that. And phishing is becoming more advanced. I honestly think large language models like Google's Bard and OpenAI's ChatGPT will make it worse. As an example, the below was generated by ChatGPT using a very basic prompt. With better-engineered prompting and a more specific language database behind it, an LLM will probably be able to generate even more convincing emails. (this one is a bit formal, so hopefully, that would trigger suspicion, but that's highlighting some flaws in training when users fall for it)

Subject: Urgent Account Verification RequiredUser,We regret to inform you that our system has detected an irregularity in your account settings. To ensure the security and integrity of our network, we request your immediate attention to resolve this matter.Our scans indicate that you are using an outdated email client, which may compromise the confidentiality of your communications. As part of our routine system maintenance, we have implemented enhanced security measures, and it is imperative that you update your email client accordingly.To initiate the update process, please click on the following link: [Malicious Link]Please note that failure to comply within 24 hours will result in a temporary suspension of your account. We apologize for any inconvenience caused, but the protection of our users and the confidentiality of our data is our top priority.Should you require any further assistance, please do not hesitate to contact our dedicated support team at [Fake Support Email].Thank you for your cooperation in this matter.Sincerely, [Impersonated Name]System Administrator

With a small amount of engineering, the below is perhaps mildly better, and at least less formal. Certainly, if your Sys Admin is a fun-loving personality, this might come across as valid. 

Subject: Important: Verify Your Account Now!Hey there!We've got some urgent news about your account settings. Our system noticed something fishy going on, and we need you to act fast to keep things secure.Here's the deal: Your email client is outdated, and that's putting your messages at risk. We've taken steps to beef up security, and now it's time for you to update your email client, pronto.Click this link to start the update process: [Malicious Link]You've gotta act within 24 hours, or else we'll have to temporarily suspend your account. Sorry for the hassle, but our users' protection and our data's confidentiality come first.Need help? Reach out to our support team at [Fake Support Email].Thanks for cooperating!Best, [Impersonated Name] System Admin

It's a team sport. But large language models and cybersecurity are topics for another time. This is about culture. Culture is about shared beliefs and behaviors, which is far more powerful than just foundational awareness. And most cybersecurity training for non-cybersecurity professionals tends to scratch the surface of showing what phishing might look like, and then it ends. And maybe we do it again later. But it's not driving useful behaviors. A useful behavior is knowing that the cybersecurity team, whether that's a system admin or a full-fledged SOC, is on their side. It's knowing that any user can ask if a message is phishing as soon as there's anything suspicious. And that the security team will respond in a positive, supportive way. That can be a burden on the security team, but it's almost always less of a burden than handling the incident when security fails. 

Teaching as part of a culture. That's the next important point in culture. While we certainly aren't looking for failure, the reality is that any organization that is in any way targeted will likely be breached at some point. And untargeted organizations aren't immune either. So we can't look at security as unbreakable. Very few people intend to fail. Those are usually what we refer to as the insider threat. And that's a hard topic for another posting. Punishment is valuable for intentional actions, but anyone subscribing to the organizational culture of security will gain more from education and less from punishment. Especially when our current training, on average, is horrible. It's akin to punishing a fourth grader for failing a calculus exam even though you gave them the calculus textbook. Calculus is essentially a new language for them and a challenging one. Cybersecurity has its own language, which is also challenging for non-IT folks. You're destined for failure if the security team doesn't see themselves as teachers. Teaching helps develops a culture where the organization works as a team and users don't feel alone, especially after being told that users are the weakest point in a cybersecurity perimeter and that they will likely miss something.

So what do we do about it? Make security part of the organizational culture rather than an add-on. There shouldn't be organizational culture and cybersecurity awareness training. Yes, making it part of the organizational culture does require buy-in from leadership and strong support from the IT/security team. So it's easier said than done. But incident response is easier said than done, too. And the loss of intellectual property, sensitive data, or revenue is what we're trying to avoid. Don't read a page from the textbook, then expect perfection on the exam. Instead, focus less on teaching the exam and more on working together as a team.