Let's start with WHY
The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?
Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from what. What to do, or not to do, and then moves to how to get it done. The “why” of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of “because we said so”.
Sinek proposes that true leaders start with the “Why”. The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.
As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. “Bad things” will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.
Did we get buy-in? Or did we only do security theater?
What if we started with the why.
“A security incident cost the average business 3.2 million dollars and can bankrupt a small to medium organization. It's not only the cost to repair the damaged system but also the loss of business. The average ransomware payment is $136,000 with millions more lost due to employee and system downtime. On average, a company victimized by a Business Email Compromise attack will incur a loss of 5.1 million dollars. It's way bigger than just the financial loss, you and your colleagues can lose your jobs. Cybercrime expenses are cut from the bottom line. Even if the loss is covered by insurance our premiums will go up exponentially. Studies show that once a business loses a customer from the publicity of a security incident they don't come back. One poor decision, a single mouse click, can have devastating consequences on our organization.
O.K., now that we know the why let us examine the anatomy of a phishing email and some ways to quickly identify them.”
This seems like a more effective method of delivering security training. Let's change our mindset, start with the WHY, and reduce the human element involved in future security incidents.