Why attempts to raise the level of awareness to information security are failing, and what to do in order to change it.
Written by Eh’den Biber
Prologue – Battlefield
The field of information security is system and technology driven. This is why it is no wonder that the first attempts to make people act according to way we believed is best from information security standpoint was compliance. Oh, and it worked SO great, didn’t it? Dear auditors, this was a rhetorical, cynical question, so let me assure you: when it comes to humans, compliance doesn’t work, sometimes even when you put a gun against someone’s head.
We moved to from compliance to awareness, and we continue to fail.
This article will try to break down multiple elements to why we fail in our information security awareness activities. After years of looking into awareness from educational, psychological, neurological, biological and spiritual perspectives I realised that the reason we are failing to increase awareness is because we never did a true root-cause analysis.
Believe me, I’ve been doing everything I can to avoid writing this article. Like Arjuna the hero of the Bevagad Gita, I tried to avoid going into a battlefield, getting in a collision course with a community of people, some of which I know personally. Every time I wanted to write the article you’re about to read, my subconscious was re-living the times I’ve been ridiculed, judged, kicked around (physically, emotionally, verbally), and eventually, stabbed (yeh, in London). When in a battlefield, it is hard to remember that who you think you are is a mind running on ego operating system, which been optimised to increase your survival rate. This thing, my humanity, was preventing me from writing, in order to prevent the suffering, to increase survival rates. This is what the brain/mind is meant to do, and in my case, my brain was trying to increase my professional survival.
The reason for my long silence in recent months was due to the fact I came to the realisation that our profession is based on pseudo and proto science, that most of what we do can be qualified as cult behaviour (cargo, anyone?), and that our blindness is in the core of our failure to reduce the likelihood of future loss event that is caused by a “human vulnerability” which lead to wrong decision making.
Finally, I said it, and here I am experiencing how it feels to be honest and fearless. Blessed.
Before we start our dive into the subject of “awareness” let’s first look our definition of awareness. Here are a few examples:
- Awareness is the ability to directly know and perceive, to feel, or to be of events. More broadly, it is the state or quality of being conscious of something (Wikipedia)
- knowledge that something exists, or understanding of a situation or subject at the present time based on information or experience (Cambridge Dictionary)
- Knowledge or perception of a situation or fact; Concern about and well-informed interest in a particular situation or development (Oxford Dictionary)
- Having or showing realization, perception, or knowledge (Merrian-Webster)
Notice that the definitions above do not requires you to be awake. You can be in the midst of a dream and still have an “awareness” state. You can be aware of a lot of things during your dreams, but obviously, when you wake up from the dream you realise it was an illusion.
Second, notice that “awareness” says nothing about the ability to react. You can be dreaming of being tied to a railway, then have a feeling of the train vibration on the metal rails, then see it in the distance, hear its motor and experience the whole thing approaching you – but you have no ability to do anything at that moment. Most chances are that when you will die in the dream you will wake up into “reality”. This is an example of being aware you are about to die, but have no ability to respond. Another example will be when you smoke too much, or drink too much, or eat too much, and then you will hear a voice in your mind saying “what the hell are you doing????” – but you will be unable to react. There are many causes to that: being exposed to parasite that control your brain, being overwhelmed with electromagnetic radiation, supressed childhood memories that are controlling your behaviour. The point is – it doesn’t help if you know everything about information security, if you are going to do the opposite because you had a bad day at the office, or at home.
- We try to reduce the likelihood of future loss event that is caused by a “human vulnerability” which lead to wrong decision making.
- We think “awareness” is going to solve it
- We target awareness, yet we do not take into account situations in which people are not fully awake (later to be discussed), and we ignore the fact the having a knowledge does not mean being able to act upon it.
People are not computer systems, people are complex adaptive systems who are obsessed by their own perception of reality.
Obsession is according to Merrian-Webster “a persistent disturbing preoccupation with an often-unreasonable idea or feeling”, and according to the Cambridge dictionary “unable to stop thinking about something; too interested in or worried about something”.
Yes, we are obsessed with our own perception of reality, operating in an unreasonable manner, or in short – living in our own story. This is why we love external stories: The Bible, New Testament, Koran, Bevagad Gita, First Buddha, Capitalism, history of human kind, Hollywood movies, Harry Potter, sexual fantasies and our family history. All are pure fiction from a truth perspective.
There exceptions to that, at least in theory. The brilliant “Sherlock” series (2010-2016 and hopefully more) put a highly functioning psychopath at the leading role. In case you lived in another plant (or in Trump’s US) it was played by the brilliant Benedict Cumberbatch. In that series, Sherlock was looking at all the miserable humans around him who are so emotional, while he was driven by a cold, logical, scientific driven deduction methods. We are not Sherlock, and thank god for that. Even psychopaths are driven mostly by their personal agenda, and this is why we don’t have real investigative detectors such as Sherlock, and even Sherlock was obsessed with solving crimes.
The people you wish to influence are obsessed about their story. Trying to enforce any other story on them (such as information security) without understanding their unique story is as effective as trying to make Trump change his mind by telling him he is wrong.
This obsession to our story is in the heart of our psyche, and it what makes us vulnerable to those who know of it, and take advantage of it – from politicians, advertisements agencies (google and Facebook included) and conman. How much do we, who work in information security, use the obsession of people to influence them to make better infosec decisions? Rarely, and when we do, it is never an official strategy. Most information security awareness program out there use little if none of the techniques used are based on deep understanding on how to impact the human psyche obsession.
There are solutions out there, one of the most advances is the “psychographs”, a proprietary technique by a company called Cambridge Analytica that was used to influence voters in the latest US election. They were using what they call micro-targeting and measuring the impact it can give on specific target audience or individual. It is still to be proven that CA has the capability of truly profile people and develop a right set of “micro-targeting” messages to increase information security capabilities. But even if they did, how many companies are ready to fund an investment into creating such profile for all their employees, and to create a personally targeted awareness program? I’ve been around for a while, and I never saw any organisation who dedicated a truly big budget for information security awareness programs, and when they did have a big budget it was wasted on hiring external consultancy who didn’t use such methods. It’s a chicken and egg game – since the board cannot grasp the true baseline of “information security awareness”, and since most of the baselines are not using the right methods it is impossible to do a true risk estimation. It will be possible, if you use analysis such as the one Cambridge Analytica uses, but the board will not spend so much money for such survey because the whole “information security awareness” is considered as a by-product of information security, not as a pillar that without it all infosec activities collapse.
Final point – I think it would be legally challenging to target employees, regardless of the good will of the organisation. We are talking about manipulating people, and that have really dark implications due to the usage of such techniques, and I don’t see an EU-GDPR compliance environment getting the approval of employees to use their details so they could be manipulated. Think manipulation going wrong, think huge compensation, think data breaches – I said enough.
Manipulation works on some aspects, but at this point (as far as I’m aware) we don’t have a scientific method to manipulate people to be more secure, and in any case this approach will not only be expensive but also very problematic from an ethical and legal standpoint.
OK, let’s assume we don’t want to manipulate our target audience, and we choose to educate them. Will it work?
Awareness cannot be gained via an education system and the knowledge they provide. What we perceive as “awareness” is not a result of a singular element (knowledge), but is a result driven by a multi-factor equation, with the factors and their interaction differ from one person to another.
In the article “Culture and Achievement” (autumn 2014 city journal magazine) Kay S. Hymowitz showed multiple examples in which great education system did not helped to result in successful students. What predicted the success of a child was not how good the education system was, but the family environment. Take for example Finland – a country hailed with one of the best education systems in the world, yet immigrants seem to be unable to gain the same results as their counterpart Finns. If you’re coming from a home that promote information security, there is a higher chance of you in succeeding in that field. If not, you’re more likely to fail. How many of us were raised in such a infosec driven environment? In the west, where freedom of speech was perceived as an important part of society the chances are slim. If you grew in an authoritarian regime such as the ones which were part of the Soviet Union it is more likely that you were careful of information you share, but even that is not true to all the population. That generation is now over, and most young people in Russia for example are less aware of the nature of information which hurts them. Same is true for China, which allows freedom of speech up to specific elements and focuses their enforcement on gatherings, protests and people who follow the Falun Gong.
So if education doesn’t work, perhaps we can do campaigns to increase awareness? Well, it seems that this approach of using is failing. The lack of awareness and failures to raise is true to all “raising awareness” attempts in fields such as politics, social (in)justice, and health issues. In an article “What good is ‘raising awareness’” (the Atlantic), Julie Beck covered the challenge organisations face when trying to raise awareness to different health issues such as AIDS, breast cancer, and autism.
Take for example autism. Having an autism day/week is great, but does it make you truly being conscious of something? I spent the last 13 years of my life trying to figure out what it means for my son to experience life as a severely autistic individual, and even though I did all I can to grasp it I failed. Since life is a personal experience, unless you have autism you can never be aware of what an autistic person experience. it’s like trying to say “he is wearing pink” to a colour blinded person.
Education is driven by the environment in which an individual grew in, and the assumption we can make people change the way to react to a complex stimulus via a new set of knowledge is unfounded and contradict the results achieved so far.
One of the biggest criticism I had over the years about awareness training solutions was the fact that there was no clear correlation between the awareness/training material and the science domain which was used to deliver it. Buzz words such as gamification is currently the strongest trend, yet I fail to find a solution provider that can prove to me that when they develop content they set up goals and objectives that are driven by scientific research. When content is being offered to a client there is no clear description of the science behind it. Yes, many awareness content providers employ psychologist(s) to develop the content, but there seems to be “trust us, we know what we’re doing” message from content providers. Yes, experience is extremely important, but I still remember my Physics teacher from my high school who had a lot of experience and his methods of education were simply ineffective.
Allow me to share with you some of the scientific driven approaches to information security awareness I was busy developing. I’m sure that if you worked in the field you must have been looking into multiple scientific domains, and examined the work of those who are considered to be the leading researchers in that domain:
- Creation of tailored awareness training, development of personal messages to influence a change within individuals. Using memes and targeting medial prefrontal cortex changes.
- Development of an awareness program based on constant exposure to positive patterns, in order to influence the behaviour of individuals. Usage of big data to identify behavioural pattern changes.
- Enhancement of cognitive control in order to reduce unwanted behaviour patterns (bias), while gaining from the diversity in the workspace. Promotion of intended actions, behaviour via clear action plan, avoidance of suppression approach, and enhanced practice.
- Creation of a safe, boredom free, stress free and fear free environment to allow increased curiosity. Use signal cues to mark to the trained people the importance of elements. Create active participation of all your target audience; allows participants to fail without the fear of being shown they are wrong. Establishment of critical thinking instead of teaching about specific threats. Development of an incremental system for awareness training, with real-time usable incremental progress feedback.
- Development of a transparent organizational culture that will provide a sense of certainty, decrease the likelihood of distress state via the reduction of uncertainty and uncontrollability. Enhance reward, motivation, and engagement, as well as promotes certainty and control. Develop a culture of transparency in order to allow individuals as well as the organization to better handle information security challenges.
- Development of an awareness program that will minimize resistance to change by allowing the participants to operate in a painless environment.
- Reduction of denial to the real level of information security challenges by using an education program that enhance individual understanding of the neurological elements of denial. Use elements from the science of evolutionary biology, focus on the nature of self-deception, Laughter, dreaming and Depression.
There is one more approach which I truly believe is the most important:
- Development of empathy and mindfulness program to enable change via openness, atonement and resonance.
This approach allows you to bypass many of the obstacles of the psyche because it is allowing you to reduce brain activity in areas which correlate with “bad habits” of our obsessed story to calm down. It is a long-term approach which you can measure it success using advance technologies, and it is to my opinion the only thing that can truly reduce the risk this whole article is talking about. The biggest challenge is that most organisations are simply so immature in their understanding of human behaviour, and most HR departments who are supposed to lead such activities pay only lip service to the notion of employee behaviour change. There is one other approach that uses other to reach the same goal by other methods, which will be a subject of another article.
Most content providers provide no visibility to the scientific approach they are taking when developing content; most organisations don’t seem to care about the science their content providers provides, and most organisations are immature to invest in long-term programs that allows a true change which can lead to risk reduction of human related information security risks.
Finally, the last segment of this article brings us to the invisible elephant in the room – consciousness. Matt Lieberman, professor of psychology in UCLA and a known neuroscientist, was recently asked what will be the ONE thing that he would have liked to pass if all our knowledge about psychology would have been erased. This is what he answered:
“Consciousness is the most important problem of the mind – the rest is just dissecting machinery – and yet we have learned virtually nothing of significance about consciousness so don’t be fooled by theories that suggest we have.
I’ve written about that subject in the past (2013), here is a brief quote from that article by the scientist who coined the term “the hard problem of consciousness”:
“No matter how complicated the system of neurons you’re looking at and how complex is their interaction, it is just very hard to see how this kind of interaction is going to give you subjective experience… the hard problem – how is it that all these physical processes in the brain gives us subjective experience, why does it feels like something from the first person point of you… We all have subjective experience of “reality” and that experience defines how we see the world. It is something that science in its current set of tools is unable to define nor to measure, and it means that any “awareness” training not only needs to bypass the obstacle of learning new paradigms but also to be able and withstand the subjective conscious experience we all have.”
Since subjective experiences are impossible to measure and quantify, all the theories we have on changing people perceptions cannot provide us with set of metrics that we can trust. Remember Cambridge Analytica who was mentioned before – what they measure is not the personal experience but a representation of it, which is similar to trying to quantify how sadness is perceived by each and every one of us.
Consciousness is the most important element not only when it comes to information security but much more than that – in the universe. This is a scientific backed up statement (again, perhaps a subject to another article). It is the most precious thing we have yet most of us have no clue to what it is because we are so trapped in our own story, the one we are obsessed with.
Consciousness is a mystery, and until recently we had no way of explaining the hard problem of consciousness. If you want to achieve long-term behavioural change, awakening your holy grail.
I know, it’s been a long article, but as you can see I love the awareness domain. Our obsession with our story is what prevents us from growing, and it is why I know most organisations are unable to solve the “information security awareness problem”. If an organisation wants to solve that problem, it will make it part of its organisational objectives. When they will, when they will show readiness, as the proverb says, their teacher will arrive. Until that moment we all continue to play pretend as if we are actually doing something useful when it comes to the topic of awareness in the field of information security.
© All rights reserved, 2017