The importance of security awareness is clear but scaring users won’t enhance its impact. Martin Cooper MBCS discusses human security with Wendy Goucher MBCS.
There’s a story behind every story. In this case, the initial fiction is called Nettie’s Cyberland - a book which gently introduces young children, their parents and their carers to information security risk. In the book' its follow-ups, there are bunnies with long ears, ruined cakes, naughty dogs straight from the Beano and a long-armed robot called Webbie. All these players, in some way, contrive to teach Nettie that the internet is a place of brilliance but also a dangerous one. There are hard digital life lessons to be learned, all underscored by a sense of pillow-soft, redeemable peril.
If there’s a summary of the stories behind Nettie, it’s this: fear doesn’t work. Fear won’t keep inquisitive children safe on the internet. Nor will fear transform phishing-prone workers into savvy and sceptical cybersecurity participants. There are, as we shall see, many strong parallels and patterns which occur in both the Nettie stories and in security awareness best practice. Security practitioners probably shouldn’t hand out copies of their books across their businesses but they probably should listen to the story behind the story.
Importance of security awareness
‘I trained as a teacher and lecturer; I did that for twenty years and I needed a new challenge,’ says Wendy Goucher MCBS, explaining how her cybersecurity and eventual writing careers began. While at this crossroads, a chance discussion with her husband opened the idea of working in information security.
‘He’s technical,’ she recalls. ‘I was never going to be a techie, that’s not my perspective. I’m much more about behaviours - I did social science and psychology for my first degree.’
Despite being a technical discipline, Goucher says, cybersecurity also needs people who can speak in plain English - practitioners who can take the industry’s defining concerns and make them accessible to everybody; she calls such people ‘translators’.
The first chapter of Goucher’s new cybersecurity career was, she admits, a real struggle. For around eight years, she moved from one contracting job to the next and, she admits, it was a hard slog.
‘I never struggled to find a speaking gig,’ she recalls. ‘I’d give a talk about behaviour. If you talk to people about security - security that matters to them as people - they’re much more likely to learn about it. People would come up to me at the end of the talk and say “That’s brilliant! People should really be talking about that.”’
But, she found, those talks seldom translated into new consulting clients. And that was because many businesses felt that the human and behavioural aspects of security she was exploring were ‘common sense’ and, as such, not worth paying for. That led to a career shift and a greater focus on risk.
‘This gives me the opportunity to look at how to do information security and to also let people get on with their work at the same time,’ she says. ‘The other part of my work is looking at security awareness. That lets me be more creative - and Nettie fits into that. It gives me the opportunity to do what I set out to do: work out how to communicate with people in a meaningful way.’
Awareness training by stealth
The Nettie books are security awareness training wrapped up carefully and pitched at pre-school aged children. They demonstrate very key concepts like accesses control, keeping your passwords safe and not sharing with online strangers.
The books’ DNA can be traced back to around 2011, where Goucher was working on a project for a Middle Eastern client. The client was a country and a team of external consultants was set up to create teaching materials for children from age 5-18.
‘I was given the pre-literate kids because I’d done teacher training,’ she says. ‘It was really high pressured. We had about six weeks. It was horrendous… we worked day and night. We got it done but, when we finished, I just couldn’t stop coming up with ideas. About a month later, I went out for coffee with a guy call Jim Barker, who’s an illustrator. I sat down and said “Jim, I’ve got this idea about how the internet is another land - it’s full of lovely things - and this little girl, instead of being on a computer, goes into the internet... she’s inside a robot though - so she’s safe.”’
Over coffee, Barker produced some sketches which would eventually become the books’ central characters: Nettie and Webbie. From that creative spark and imaginative urgency came the next phase: an eight year search for a publisher. Nettie eventually found a publisher, albeit at a time which coincided with the COVID pandemic’s first lockdowns.
Slow start to hitting the mark
‘The books are targeted at very young children,’ she explains. ‘And there are a number of things which are really important. Firstly, as adults, we view the internet as a scary place. Children don’t. It’s a fun place where they play games. As soon as we start trying to tell them that it’s scary, we’re not speaking the same language.
‘What I wanted to do was start a conversation about how parents can sit down with their five year olds. They can sit down and talk about what happens in the book - whose fault was that? What should they have done differently? - It’s opening conversations.’
So, what are the risks which the youngest internet uses need to be prepared for?
‘The main risk is that they are not sufficiently sceptical,’ she answers. ‘Children shouldn’t be made sceptical at a very young age, but I want to plant a seed of scepticism. The difficult thing is using their view of the world.’
Goucher’s belief in healthy scepticism can be traced back to a New Yorker cartoon from 1993. The cartoon showed a large black canine sat proudly at a computer, explaining to its friend, ‘Nobody on the internet knows you’re a dog.’ Drawn by an illustrator called Peter Steiner, the cartoon didn’t initially cause many ripples but, over time, grew to capture the spirit of an age dominated by internet anonymity and debates about trust. Twenty years on, Steiner’s concept is still going strong and enjoys a happy and viral life among the internet’s most popular memes.
The unfriendly online illusion
‘People aren’t always who you think they are,’ Goucher says. ‘And, the problem is, the risks that come once a child is literate are different. At a very young age, cyber bullying and sexting - they’re not relevant.’
The fact that cyber risks change as children grow up (and they do so very quickly) makes the job of parents worried about online risk doubly hard. If you’re lucky enough to work in or around cybersecurity, you’ll have a head start over parents who aren’t familiar with keeping business information safe. If you don’t have this advantage, helping your children can be a real worry.
The key, Goucher says, isn’t to try and be an expert. Children will, inevitably, use the internet in radically different ways to their parents. Rather, she advises that parents should sit with their children and simply have a conversation about what they are doing online; which apps they’re using; which sites are they visiting and who their online friends are.
Indeed, there’s nothing wrong with asking your children to teach you about their online world.
Defending our data and our people
Many of Nettie’s misadventures, as we’ve seen, are designed to help foster conversations around familiar information security topics. And, shifting gear to talk more about Goucher’s nine-to-five information security work, conversation - and the need for good quality conversation - is a recurring theme too. Particularly, she believes that conversation is essential when it comes to designing security awareness training which will actually help everybody become engaged with the idea of defending their organisation.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
‘One of the first rules of teaching is going from the known to the unknown,’ she says. ‘It’s about talking with people and engaging with them. And getting them to say: “Do you know what, the thing I don’t understand is...” or “Is it true I’ll get into trouble if I click on a link?” Get them to open up...’
Critically, she says, ‘The more you become involved in a profession like security, the harder it becomes to step outside [of the profession] and see things the way an outsiders sees them.’ And gaining that insight, she explains, is one key component in any successful awareness programme.
Another ingredient can be found in the somewhat infamous quote from the security writer and commentator, Bruce Schneier. Talking about the importance of security awareness, Schneier wrote: ‘People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.’
Many eyes make security work
‘I don’t think that’s actually what Schneier meant,’ Goucher says. ‘We need to get away from the idea that everything would be secure if only we didn’t put humans in the middle. Certainly, they do cause problems, but users are very good at spotting things which don’t feel right: we know if there’s something wrong [with an email]. If there’s something that doesn’t feel right, take notice of that warning voice... be human.’
Continuing, she explains, ‘Ten years ago - nobody would say that in a training session. Everything would have to be measurable. Now, we are beginning to say, “You can be a human being to be part of cybersecurity.” You can offer value and you don’t have to be technical.’
Rather than simply explaining and PowerPoint-presenting through how a virus might enter a system, this conversational approach could, for example, see a trainer ask a group: ‘You know what a virus is now. How would you go about introducing one into your computer’s network?’
‘The best way to work out how safe your house is, is to work out how to break in,’ she observes. ‘Involve people. Ask “How would you go about finding out about people online?” And then ask them to see what’s available about them online. It’s much more effective than traditional “chalk and talk” teaching.’
Goucher also believes that how fear is used in security awareness can have a profound influence on whether a campaign or a behaviour change programme achieve their desired outcomes. And fear, let us not forget, is part of cybersecurity’s lexicon. Some parts of the industry revel in dark actors, black hats, threat actors and kill chains.
People do make mistakes - they may well click on a link they ought not to have done - but, if they’re scared of the consequences, they’re not likely to tell their colleagues in IT. If security awareness training relies too heavily on nightmare scenarios, people are going to cover up their errors. And these, Goucher believes, are a outcomes which should be avoided.
‘It’s a classic view,’ she warns. ‘The idea that you have to make people scared before they understand risk isn’t right. People need to appreciate risk - that’s not the same as feeling the gut wrenching fear.’
This philosophy found life in a campaign she worked on for the Awareness and Innovation team at Covea Insurance. It promoted the message: ‘If in doubt, shout!’
‘And,’ she says, explaining more about the campaign’s messages, ‘we really don’t care if you have done something wrong. Make a note of what you did and what you saw because that is really important. You’re not going to get into trouble. The point is, every report strengthens our security - even if you’ve done something which is wrong. Possibly we learn twice from the things we do wrong. [As a security team] we need to use the information we’re given. We can make it easier for other people to avoid making the same mistake.’
Building and fostering this kind of culture, Goucher admits, is hard and is made doubly so because so many people now work from home.
The pandemic effect
‘Working from home has changed awareness training a lot,’ she says. ‘In a way, I’m looking at the good stuff that has happened out of all this.’
She found that companies were, before the pandemic, often resistant to the idea of explaining to their employees about their personal online security. It was rare for awareness training to touch on shopping, social media and on their employees’ everyday-digital life. Rather, the training would commonly focus on securing the company’s direct perimeter.
Today, it’s much more common for awareness training to explore both personal and working security. That’s because there’s now a real blurring between the workplace and family life with so many people now working from home. Business information and personal data move across the same domestic network. One laptop might now be both a work computer and a general purpose machine used for grazing across the internet.
Training people about both work and personal security, she believes, is incredibly healthy. ‘Security should always have been like that,’ she says. ‘One company I’m working with is renegotiating its anti virus contract and, as part of that, it’s going to try and get free anti virus protection for its employees. It’s not a new idea but it’s about joining those things - home and work - together. We can’t make those differentiations anymore. Have that conversation, talk about home and work security.’
Summing up the point, she says: ‘There are no edges in our lives now. We can’t see work as a box on its own.’
A recipe emerges
Returning to fear as the cornerstone of security awareness, Goucher puts a final nail in terror-based training’s coffin: ‘The problem with fear is, of course, the person who fell for a good phishing attack - they’ll never know they were a victim anyway.’
There is then the makings of a formula for awareness training: involve people. If you’re a trainer or provider, step outside of security and imagine what it’s like to be an everyday user; don’t use fear to change behaviour. Frightened people won’t report their worries.
Finally, your people aren’t the weakest link. Rather, if they’re engaged, empowered and feel part of a positive culture, they’ll be your first and best line of defence - an army of people who will eagerly speak up if they see something that maybe, just doesn’t quite feel right.
Summing up, she says, ‘Security is about collaboration and communication. It’s our responsibility to communicate good security behaviour and to make that possible. We need to make security work so that it doesn’t get in people’s way. If leaders want people to do something - to behave in a certain way - we have to make that possible.’