I’ve recently started working with Marmalade Box and as part of my induction, I went down to London last week to attend their Re-Thinking the Human Factor workshop presented by MD & Founder, Bruce Hallas… and, boy, did I learn a lot! I came back with 13 pages of notes, a head crammed full of ideas and a much better understanding of information security and SABC™, Marmalade Box’s unique framework for influencing change in Security Awareness, Behaviour & Culture (the clue is in the initials!).
I was a total newbie when it comes to security awareness training and was the only non-infosec – I’ve picked up all the jargon –person there. I write for a living (I’ve joined Marmalade Box as their Content Creator) and have more than a passing interest in behavioural economics, nudge theory and psychology – which stood me in good stead for parts of the day.
The other attendees included a range of people from an Education and Awareness Manager to a recent Master’s graduate, an IT security professional with over 20 years in the business and an independent security consultant.
The Re-Thinking the Human Factor Workshop was broken into 6 main topics:
- The basics
- Being human
And the first thing I learnt? That information security is about human behaviour: most breaches are caused by people.
As someone who still knows people who store their passwords in a little notebook next to their computer and uses the names of the pets they had as a child for most of them, perhaps that shouldn’t surprise me – but it did.
I thought it was all complicated programs and hard-to-understand techniques and technologies. But whatever policies, processes and procedures you have in place, without buy-in and compliance from the rest of the organisation, it doesn’t really matter. Which is why education and awareness are so important and integral to effective cybersecurity.
As Donald Rumsfeld so eloquently put it:
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.”
Thanks, Donald, that’s crystal clear. But he’s right. It’s hard to act on things you don’t know you don’t know. Impossible even.
The business case for education and awareness around information security is huge.
There are the personal reasons that a layperson like me has thought about on reading about data breaches in the news (losing your data, privacy, savings, reputation, and, in some cases, self-respect and ability to look your neighbours in the eye), which roughly translate for a company too.
The loss to profit and reputation can be enormous. Having just learnt that nothing can be 100% secure, it then seemed obvious that education and awareness should be high on the agenda for organisations and worthy of greater investment from them in terms of time and budget.
As well as analysing risk and prevention, organisations need to build their resilience to threat too, which can come from outside, like a virus, or internally, like your own staff – because we’re all human.
Which I’m going to look at in the next blog, Part 2 of Re-Thinking the Human Factor security awareness training.