Components of Security Awareness and Their Measurement, Part 1

Components of Security Awareness and Their Measurement, Part 1
Author: Zsolt Bederna, CISA, CRISC, CISM, CGEIT, CISSP, ISO 27001 LA, CEH, ITIL 2011 Foundation
Date Published: 14 October 2020

People are an essential part of security. They operate processes; produce technology, in the cases of hardware and software; and apply technology; therefore, they are the basis of security. Furthermore, they behave according to their intrinsic and extrinsic sources of motivations.

However, as with technology, people have vulnerabilities that emerge in human nature and attitude and manifest in lack of knowledge or errors in processes. These vulnerabilities are easily exploited by attackers through the use of social engineering, which is “the art of tricking employees and consumers into disclosing their credentials and then using them to gain access to networks or accounts…(by the) deception or manipulation of people’s tendency to trust, be cooperative, or simply follow their desire to explore and be curious.”1

According to the online dictionary of the American Psychological Association, awareness is the “perception or knowledge of something” and “reportability of something perceived or known is widely used as a behavioral index of conscious awareness….”2

In human operations, there are two basic operational models: One for normal situations, where there is enough time to think and decide, and one for stressful situations with a tight timeline. A person’s awareness is composed of attitude and knowledge in normal situations, but in other situations, people behave according to automatism.

Awareness Components

This is the first of a two-part series discussing the awareness components that may influence the security behavior of humans, the awareness program generally, its maturity levels, delivery possibilities, the problems and the benefits of a security awareness program. This first part of the series addresses a theoretic analysis of human awareness, while the second part, “Components of Security Awareness and Their Measurement, Part 2,”3 discusses practical solutions for awareness measurement.

Attitude
Attitude is the first component of awareness. It is the result of an extended learning and socializing process. It can be defined as “a feeling or opinion about something or someone, or a way of behaving that is caused by this.”4 In 1959, researchers created a model to describe it. They defined the three components of affect, behavioral intention and cognition,5 and later added behavior as the fourth component.6

Because of the determining stamp of the socializing process, attitude depends on family, friends, school and surroundings.

MOST PEOPLE PREFER TO OBTAIN ACCURATE INFORMATION THAT IS BASED ON THEIR PERSONAL EXPERIENCE.

It also depends on age, which helps define how comfortable humans feel with the application and use of technology. The term “digital native” refers to people born in the digital era; in contrast, “digital immigrants” were born and grew up in a pre-computer world. But it is not true that all digital immigrants and all digital natives are created equal. It is essential to note that there are differences in both categories:

While most digital natives are tech-savvy by virtue of their being born around technology, others do not have a knack for technology and computers, or even an interest or inclination to learn more. Digital immigrants are also clearly a highly diverse group in terms of their attitudes and capacities in regard to digital technologies.7

Knowledge
The second component of awareness is knowledge. There are three kinds of knowledge: experiential knowledge, skills and knowledge claims. They are interconnected, but each has some specific features of their own.8

Experiential knowledge is gained through the sensory system, and the information is then processed by the brain. Skills are based on experiential knowledge and represent the know-how. Skills are well-structured and action-oriented and are learned by the repetition of doing certain tasks. Knowledge claims are what a person knows or thinks they know. These include both explicit and tacit knowledge that a person gains through experiences that exist in the subconscious zone and manifest as intuition.

Automatic Behavior
The awareness level of a person in a normal situation, when there is time to think, may differ from situations when there is a lack of time, such as in the case of incidents or crises. Generally, people do not pay attention to probabilities when under psychological pressure. In these situations, people exhibit automatic behavior because of the limitations of human brains.9 Human brains use fast-thinking capability to apply heuristics such as framing, availability heuristic, thin slicing and tyranny of small decisions.

During the learning and socializing process, the human brain creates concepts and theoretical perspectives based on experiences, which intensely narrows perceptions. Framing is how an individual organizes, perceives and communicates reality. Research indicates that “the complexity of practical problems of concurrent decisions…would prevent people from integrating options without computational aids, even if they were inclined to do so.”10

The availability heuristic is a mental shortcut that may bias the mind when it evaluates a specific topic, concept, method or decision based on memory.11 People tend to heavily weigh their judgments on more recent information, making new opinions biased toward that latest information. On the other hand, heuristic-based decision-making creates the opportunity for quick reactions. However, in most cases, it is effective if a scenario has played out in a systematic way.

Thin slicing is the ability to find patterns and make rapid inferences based on minimal amounts of information.12 It may help to make decisions, but without previous knowledge, awareness and experiences from similar events, it may result in the wrong decisions. Furthermore, it is easier for many people to add just one more item to the list of choices instead of making the choice itself. One author wrote, “a large array of options m[a]y diminish the attractiveness of what people actually choose, the reason being that thinking about attractions of some of the unchosen options detracts from the pleasure derived from the chosen one.”13

People have cognitive limitations in searching for and processing information caused by their limited memory capacity and the intention of obtaining information that supports their own opinions.14

Most people prefer to obtain accurate information that is based on their personal experience. Furthermore, accurately combining different sources of information is a cumbersome task. As a result, people tend to simplify, which may help, but it can also cause a person to make the wrong decisions.

Another approach that influences individual decisions is the mass effect.15 For example, in public voting or even in general decision-making, it is likely that a person’s first evaluation represents personal thoughts and the later ones may reflect the thoughts of the larger group or community.

AN ORGANIZATION’S AWARENESS PROGRAM SHOULD FIT THE NEEDS OF THE ORGANIZATION AND THE ABILITIES AND CAPABILITIES OF THE EMPLOYEES.

Based on the possible shortcomings of the human brain, which may cause different behavior in a normal situation vs. a crisis, it may be inferred that automation is the third component. However, attitude and knowledge deduce automation, and it is difficult to measure.

Awareness Programs

Awareness is a complex human attribute that has at least three components: attitude, knowledge and automatic behavior. An organization’s awareness program should fit the needs of the organization and the abilities and capabilities of the employees. Security awareness is a crucial topic in an organization, on its own or due to compliance reasons. However, an organization should ask itself whether it is good enough to be compliant or if there is a better way with a higher maturity level.

Delivery Methodologies
To reach a higher level in the maturity model and, therefore, a more effective security program, the best-fitted delivery method should be applied. There are a number of methods available, which differ in resource demand, mode, method and efficacy. Information awareness delivery methods can be divided into three main categories: instructor-led, conventional and online.16 The instructor-led method comprises formal presentations and training sessions. The conventional method uses email campaigns, posters and leaflets. The online method uses the IT infrastructure, such as computer-based programs, to deliver security awareness to employees.

These categories generally overlap, but they encompass the method more precisely than if the delivery methods were defined as offline vs. computer-based training (CBT), instructorless vs. instructed, text-based vs. gamified, or single vs. grouped. Instructed, grouped trainings are generally based on traditional techniques, but they are far more exciting if a healthy level of gamification is used. In this case, discussion-based exercises and operations-based exercises can be distinguished.17

Personal Involvement
Despite the chosen delivery methodology, the best presentation mode and method must be applied to reach the maximum effect. Systematic persuasion through rationality may have longer-term and stronger effects on subjects when they think through their decisions. “Rational decision making has been defined as a more advanced type of decision-making model, emphasizing the characteristics of thorough research and logical evaluation, selecting among possible choices based on reason and facts.”18

Rational decisions have three critical elements: paying attention, understanding and reacting. Personal involvement adds a further level of understanding of the topic because people use that understanding when thinking through decisions. Moreover, understanding is the basis of reaction.19

The right personal involvement shows the importance of the awareness program and gives it a better chance of success. For better understanding, the chosen presentation mode and method should be visually attractive, and the content should be customized to the organization and specific roles. Gamification may help in increasing user activity, social interaction and quality and productivity of actions.20

Measuring Awareness Programs

Metrics can be used to measure the progress of an awareness program for compliance reasons (e.g., how many people have taken the training and completed the tests) and to quantify the impact of the training and any change in employee awareness. Each of the three awareness components (attitude, knowledge and automatic behavior) should be monitored.

All measurements should be tracked by the specific, measurable, achievable, realistic and timely (SMART) approach, because it helps determine critical success factors (CSFs) and key performance indicators (KPIs).21 However, finding a useful metric that is not counterproductive is not an easy task.

THE PROGRESSION OF THE PROGRAM AND ITS IMPACT ON HUMAN AWARENESS SHOULD ALSO BE MEASURED.

Specific topics for metrics are derived from specific areas of security designated by security policy, as security policy must follow external rules, such as international, national, and industry standards and legislation. It is important to note that categorization should be customized to each organization and even to each organization unit, since not every category element is relevant for every organization.

Conclusion

People are a critical factor in cyberdefense (or in any defense). Generally, security awareness is the level of security that a person represents with her or his attitude and knowledge. When creating an awareness program, the delivery methodology that fits with the organization and ensures the highest level of personal involvement should be chosen. However, delivering the program is not enough. The progression of the program and its impact on human awareness should also be measured.

The second article of this series, “Components of Security Awareness and Their Measurement, Part 2,” will give possible solutions for using these measures informed by the theoretical discussion presented here.

Endnotes

1 Conteh, N. Y.; P. J. Schmick; “Cybersecurity: Risks, Vulnerabilities and Countermeasures to Prevent Social Engineering Attacks,” International Journal of Advanced Computer Research, vol. 6, iss. 23, 2016
2 VandenBos, G. R.; APA Dictionary of Psychology, American Psychological Association, USA, 2007
3 Bederna, Z.; “Components of Security Awareness and Their Measurements, Part 2,” ISACA® Journal, vol. 6, 2020, http://h04.v6pu.com/archives
4 Cambridge University Press, Cambridge Dictionary, 2016, http://dictionary.cambridge.org/us/
5 Katz, D.; E. Stotland; Psychology: A Study of a Science, McGraw-Hill, USA, 1959, p. 423–475
6 Zimbardo, P. G.; M. R. Leippe; “The Psychology of Attitude Change and Social Influence,” Psychology, 1991
7 Zur, O.; A. Zur; “On Digital Immigrants and Digital Natives: How the Digital Divide Affects Families, Educational Institutions, and the Workplace,” Zur Institute, 2011
8 Bolisani, E.; C. Bratianu; “The Elusive Definition of Knowledge,” in Emergent Knowledge Strategies, Springer, USA, 2018, p. 1–22
9 Kahneman, D.; Thinking, Fast and Slow, Farrar, Straus and Giroux, USA, 2011
10 Tversky, A.; D. Kahneman; “The Framing of Decisions and the Psychology of Choice,” Science, vol. 211, iss. 4481, 1981
11 Tversky, A.; D. Kahneman; “Judgment Under Uncertainty: Heuristics and Biases,” Science, vol. 185, iss. 4157, 1974
12 Ambady, N.; R. Rosenthal; “Thin Slices of Expressive Behavior as Predictors of Interpersonal Consequences: A Meta-Analysis,” Psychological Bulletin, vol. 111, iss. 2, 1992
13 Schwartz, B.; The Paradox of Choice, Harper Collins, USA, 2004
14 Chariri, A.; “Cognitive Limitations and Decision Making,” Jurnal Bisnis Strategi, vol. 3, 1999
15 Barabási, A-L.; The Formula: The Universal Laws of Success, Little, Brown and Company, USA, 2018
16 Alotaibi, M.; W. Alfehaid; “Information Security Awareness: A Review of Methods, Challenges and Solutions,” Internet Technology and Secured Transactions Conference, 2019
17 US Department of Homeland Security, Homeland Security Exercise and Evaluation Program (HSEEP), USA, 2013
18 Uzonwanne, F.; “Rational Model of Decision Making,” Global Encyclopedia of Public Administration, Public Policy, and Governance, Springer, USA, 2016, p. 1–6
19 Ibid.
20 Hamari, J.; J. Koivisto; H. Sarsa; “Does Gamification Work? A Literature Review of Empirical Studies on Gamification,” Annual Hawaii International Conference on System Sciences, 2014
21 Bernard, P.; Foundations of ITIL 2011 Edition, Van Haren Publishing, Netherlands, 2012

Zsolt Bederna, CISA, CRISC, CISM, CGEIT, CISSP, CEH, ITIL 2011 Foundation

Is the chief technology officer of cyex OÜ and works as a senior cybersecurity consultant. He can be reached at bederna.zsolt@bederna.hu.