One of my favourite films is “Thank You for Smoking” which stars Aaron Eckhart as a lobbyist for big tobacco. The movie takes a satirical look at Aaron’s character deflecting criticism aimed towards smoking.
In one scene a TV debate is taking place and a doctor brings out a young cancer patient and cites cigarettes as the cause of it. To which Aaron responds that cancer does not benefit the tobacco companies. It is harmful because it literally kills their customers.
However, cancer is very good for the medical industry because it gives ensures customers they can treat for a long time.
To be clear, I do not condone smoking or believe that it isn’t harmful to ones health. But it’s a really interesting way to frame an argument and plant the seeds of doubt… who really benefits from a bad situation?
In that regard, the security industry is similar to the medical profession. The more illness or hacking that goes around – the more profitable the profession.
It’s because of this that for many years rumours would circulate on how the anti-virus industry funds the creation and distribution of malware in order to boost their own sales.
Planting the seeds of doubt doesn’t take very long – and once an idea is incepted, it can be very difficult to shake it. Just watch an episode of Scooby Doo to see how the real suspect can be right in front of you the whole time, but assumptions and biases prevent you from seeing it.
A good example of how difficult it can be to rewire the brain can be seen in this video which shows how a person learnt to ride an opposite steering bike and in the process forgot how to ride a normal one.
Which is why, I find it disturbing that FireEye CEO Dave DeWalt indicated that the company’s disappointing results, which saw stock prices tumble nearly 25%, on a lack of Chinese hackers.
“I believe this change in customer buying patterns is at least particularly due in changes in the threat landscape in the wake of the global cyber security agreements we’ve seen with China that is making headlines since September,” said DeWalt.
The message this sends out is that the security industry is grateful and profits from the actions of malicious hackers and that a drop in
‘nation state hacking’ is bad for business.
Now that’s probably not the case. But it’s enough to sow the seeds of doubt. The next time China ramps up its hacking activities against US companies don’t be surprised if someone lets out a ‘zoinks and raises a suspicious eyebrow.
Approaching User Awareness
In days long gone by, a lazy weekend meant sleeping in till mid-day, watching TV and going out with friends. With children that all changed and I’m lucky to sleep in at all before the weekend routine of extra-curricular activities start ranging from tuition, swimming, fixing things around the house and doses of, “I’m boooooored”
Just like the definition of a lazy weekend changes depending on circumstances and size of family – a user awareness program will vary depending upon the size of your company, the culture, regulation, what your objectives are and so on.
The first step one should consider taking before embarking on a program is baselining the current company culture and mapping them against risk vectors you are seeing.
If you’re stuck for ideas on how to start, the security culture framework is a good free resource. This will also help you define metrics and measurements. If you’re not measuring… or measuring the wrong things, then you won’t be able to validate any progress.
Once you’ve established your baseline, got your metrics in place and identified threat vectors – you will be in the ideal place to evaluate the different options that are available.
It could be that the best approach for your company is to have informal breakfast meetings, show educational videos, or to undertake computer-based training. Maybe you are primarily worried about users clicking on phishing links – or in other cases you are concerned with users using untrusted cloud storage platforms.
In any case, picking the right tools and techniques that meet your objects and fit your company culture are imperative to making meaningful progress in user awareness… unless of course you don’t want to train users so well that you no longer have a job!
Notable vendors in the user awareness space are listed below. Let me know if I’ve missed out anyone important.