American View: How Much Security Awareness Is Too Much?

Management

I opened last week’s column with the declaration “October is Cybersecurity Awareness Month.” In retrospect, I didn’t need to say it. October = CAM has been the norm for over twenty years now. Everyone in the corporate sphere knows. It’s inescapable. It’s even … dare I say it … getting kind of annoying.

I say that because the pressure placed on us folks in the “human risk” career field to deliver “arena rock” level activities seems to increase every year. It’s not enough for us to remind our users of the necessity of good cyber hygiene practices; we’re expected to inflame the passions of our co-workers through fiery rhetoric, whimsical diversions, and constant engagement. We need games! We need speeches! We need TikTok dances! We need celebrity endorsements! Can we get a parade? We need a parade, too!

Fortunately, a lot of the vendors in our space empathize with our plight and publish free or discounted content that a human risk practitioner can use to augment their programme. KnowBe4, for example, released an entire CAM24 resource kit replete with posters, videos, graphics, and a detailed action plan. Infosec Institute has a year-long “campaign plan” service full of pre-generated content that goes up to 11 for CAM. The National Cybersecurity Alliance, Optiv, and CybSafe all have toolkits and goodies that can help a small team or solo practitioner punch above their weight come October. ^[1]

Still, there seems to be pressure from the industry to have something new and novel every bloody day throughout the month. To leave a workday unfilled with “cyber joy” is a cyber sin, not just a lost opportunity. The goading to deliver more, more, more! becomes overwhelming to the point of absurdity.

To say nothing of the shattered content creators who need to generate all this.

For example, I was noodling ideas for an CAM-inspired angle for this week’s column and googled historical events that might serve as attention-grabbing fodder … that could also be easily co-opted into a catchy security education message. I discovered that it was on 22nd October 1797 that legendary French aeronaut André-Jacques Garnerin demonstrated the first successful parachute descent. That was perfect! Let’s see …

“Now-a-days we take for granted that fighter pilots always have a safe way to escape their aircraft in an emergency and live to fight another day. Thanks to André-Jacques Garnerin, we have safe and effective parachute technology. How many aviators’ lives have been saved snice 1797? It’s impossible to say, but we’d never want to rocket into the heavens without his discovery. So, too, we wouldn’t want to ‘pilot’ our corporate inbox every day without an equally important safety device: the ‘Phish Reporting’ button in Outlook’s ribbon bar…”

HUUUURRRRRRKKK! That message is so cheesy that everyone who read it is now lactose intolerant. Sorry (not sorry). It’s not just cheesy, though; it’s downright silly. It’s a rhetorical reach in the same sense that Lake Superior is a body of water.

I don’t mean to let our side down, but … Can we please stop this? This obsession with filling every waking moment each October with “cyber content” has passed the point of usefulness. I understand the perceived need for saturation; we’re competing for a very small share of peoples’ attention with so many other causes and ideas that any “lost” opportunity might result in rampaging ransomware.

“What’s more annoying, Keil? 12 hours of compulsory security lectures or a £10 million fine for allowing our customers’ credit card numbers to get stollen by the ‘Fancy Bear’ APT group? Huh?!”

Ours isn’t the only “X Awareness Month” in October; there’s also:

… and three dozen other month-long “celebrations,” to say nothing of the dozens of individual holidays like Peat Cutting Monday in the Falkland Islands. It’s too much! Even if we had sufficient content to fill every user’s every free minute, we can’t “saturate” the workdays with security-themed messages and be effective in changing user behaviour. The same can be said for the above-listed “awareness” topics. No one is going to eat pizza for every meal every day for a month without overdosing on cheese (so to speak).

Seriously, I really think we’re trying too hard. Sure, our mission – to help people stay safe online – is both noble and necessary. More important than celebrating “Liver Awareness Month” to be sure. That said, there is a case to be made that overdoing it may do inflict harm than good. I submit that we ought to focus more on quality than quantity. Make the few events that we can reasonably expect our users to engage with worth their time.

I realize this is an unpopular opinion within our industry. The current trend in human risk is a logical evolutionary step from the big Security-Awareness-as-a-Service providers: leveraging machine learning and automation to mince a traditional annual, semi-annual, or monthly focused programme into a barrage of tiny, droplet-sized, messages, nudges, reminders, classes, and progress checks. A pipeline of constant contact points that no human programme manager can deliver. I get the appeal; the science suggests that the frequent application of small interactions can have a greater positive effect over time than a few “major” events experienced throughout the year.

That said, the new pseudo-AI managed services haven’t been in use long enough to judge. The data isn’t available – yet – to determine whether the “water torture” approach will alienate or enrage users more or less than traditional programmes. We’ll see. I’m hoping for the best, but …

After listening to my friends chat at the pub about their employers’ CAM efforts, I’m coming to believe that there’s a tipping point. A few days of heightened engagement can be effective; enjoyable, even. The CAM activities become something to look forward to, especially when the content is playful (as opposed to dry and dictatorial).

Somewhere between “a few” and “some” events a line gets crossed that turns “fun training” into “infuriating.” Engagement becomes enragement, as people feel their already constrained schedules are being stollen for no appreciable benefit. Where specifically is that line? It seems slightly different for every user and every office culture. So, maybe we can’t precisely map it … but we’re pretty darned sure it exists.

That’s why I’m asking you to re-think both your CAM25 campaign plans and your possible adoption of fully-automated-luxury-space-security-training. Maybe consider instead to focus on quality over quantity when it comes to human risk engagement. Have some empathy for your overburdened, brain-fried, and perpetually fatigued users … and your equally exhausted “human risk” practitioners.

^[1] These aren’t endorsements of the vendors’ products or services; y’all can find all this – and many, many more – resource packs – by googling the topic. If it works for you and your programme, great. If it doesn’t, at least it didn’t cost you anything.