American View: Why Y’all Need to Add Some AWDIKs to your Audit Program

Management

I spent the last week convinced that we’re missing something important in security awareness doctrine. Something obvious, that – if implemented – would significantly improve every “human risk” practitioner’s effectiveness. Something so obvious and simple that it’s downright embarrassing that we’ve overlooked it. I was ready to chew the furniture in frustration when a new email alert reminded me that I had a meeting with the auditors coming up in an hour … and that’s when the missing piece fell into place. As the old Zen kōans would say it, “At that moment, the dork was enlightened.”

First things first, what’s an “audit?” As far back as the 15th century, it meant “an inspection, correction, and verification of business accounts, conducted by an independent qualified expert.” An audit, performed honestly and in good faith, can be an excellent tool for validating if a process is being run correctly … with “correct” being measured against a published standard. Most business processes can benefit from a good audit, since an unbiased outsider is likely to notice weaknesses, oversights, and performance issues that could do with correction that the people performing the tasks haven’t perceived.

That said, audits have limitations. First, they focus on process rather than content. That’s fine for functions with immutable inputs and outputs (like accounting); less so for nuanced, irrational, and complicated inputs and outputs like human behaviour. Second, audits usually happen after a process is executed. That is, you don’t audit something before it happens or during its delivery; you audit something after it’s finished … examining its inputs and outputs to ensure the required process was executed correctly. That doesn’t help evaluate the effectiveness of activities like training or education. Finally, audits are often performed by inspectors with no “skin in the game” (so to speak). Neutral outside experts usually don’t care about a process’s effectiveness save for those aspects that can be measured. Not their job.

All this isn’t to say that audits are useless. IN truth, audits are valuable when used intelligently. They fail when they’re assumed to be a validation of subjective elements that can’t be measured. For example, an audit of a new employee’s security training can accurately measure if the training was delivered on time, but it can’t measure the effectiveness of the rhetorical tools employed, the students’ comprehension of the content, or the practical usefulness of the techniques taught. Additionally, an audit conducted after a class in over can’t correct inadequate training that’s already been delivered.

I can barely afford stock photos; ain’t no way my boss is going to increase my budget enough to buy a time machine.

This, I suggest, is why we need to implement Audit’s “country cousin” in our programs … We need to fill the gaps that traditional audits can’t reach. We need, to use an obscure term from Texas, an awdik!

Let me explain. A.W.D.I.K. is an initialism I made up years ago while teaching new lieutenants how to craft effective briefing decks. It’s an initialism meaning “And Why Do I Care?” As I sat through lieutenant’s draft deck, I’d interrupt their delivery to ask the officer what they meant when their language became (as is typical for the Army) incoherent, impenetrable, and annoying. I’d demand that they re-phrase their point as if I was a pilot until I could repeat it back correctly.

At first, the lieutenants got annoyed or embarrassed by my interruptions. They didn’t much care for my insistence that we couldn’t proceed until their points were made clear and simple. Eventually, they realized that us grumpy old captains were trying to help them avoid making fools of themselves in front of the much grumpier old colonels.

Figure out what you’re trying to say, we advised, and then say that without all the wasteful jargon. Bad staff officers hide their incompetence in smokescreens of mystifying acronyms, symbols, and tortured English. Good staff officers are direct and clear. No one should leave their briefing without understanding exactly what you wanted them to know and why it was important they know it.

Eventually, the lieutenants would start talking obtuse nonsense in their briefs expecting us to interrupt with a drawled “awwwwww-dik?” and would carry on with an explanation of why we should give a darn. Eventually, they learned to build their content around the A.W.D.I.K. concept to pre-emptively mitigate audience confusion and resistance. It worked for generations of young officers … and it can work for us in the security world, too.

Contrary to what TV dramas teach us, cybersecurity isn’t all Hoodies & Hackers. Come to think of it, I should write a D&D 5E expansion book with that title to cash in on the craze. TV “security” is just “wizardry” with extra steps.

Far too often, security awareness practitioners are tasked to teach concepts, techniques, or incidents that our audience can’t parse or digest. Our users might lack the technological foundations required to understand our terms, or lack the context needed to understand why what we’re saying is important. They might assume that our message is meant for others since it doesn’t seem to fit into their corner of the business. Or they might think we’re trying to be difficult because we’re a bunch of smug elitists.

Those errors are a failure on our part – not theirs.

We need to communicate with our users effectively. That means meeting them where they are in terms of education, situational awareness, operational vocabulary, and pragmatic impact. We need someone to correct us when we get too far up our metaphorical backsides to make sense to a regular person. Someone to take our classes and read our drafts before we put them into production and interrupt us with a drawled “awwwwww-dik?” every time we stop making sense.

Audits are fine tools for measuring procedural performance, but Awdiks are fine tools for evaluating the effectiveness, clarity, and resonance of the content that’s delivered through those same processes. We need both tools if we want to get our message through and create meaningful, timely, and effective behaviour change. After all, most of our users aren’t likely to interrupt out briefings with an exasperated cry of “What the hell are you trying to say?”

Improving Business Performance