Activating Employee Awareness: Leveling the Playing Field in Cyber Defense
By providing insight into actual incidents, timely and actionable threat bulletins, and tying patching advisories to threat activity, our cyber awareness program has tipped the scales in secure behavior change and created an effective sensor network. Today, the human "sensor" continues to "detect" over a tenth of incoming advanced cyber threat attempts, and timely patching of actively exploited vulnerabilities has prevented compromise to our systems.
Using techniques such as social comparison, self-practice, and personalization, combining them with a shared risk management model, our cyber awareness program differs from the standard security training programs that rely solely on annual training, posters, and broadcast messaging. A key to our success has been to embed our program within our cyber operations. Working alongside personnel responsible for monitoring and response along with our cyber threat intelligence cell (responsible for indicators and warnings), our awareness program contains the information and metrics we need to tell the story and nurture our human defense "infrastructure."
Technological controls alone cannot prevent or stop all cyber attacks, especially during times of unpublished zero-day vulnerabilities. An active employee base can make the difference, even in cases where "one click" can bring down an entire organization.
Telling the Story for Secure Behavior Change
Telling stories about one's culture can create shared experiences that transfer knowledge in a memorable way. Storytelling has helped equip our employees: our True Stories series uses actual incidents to show how threats have come uncomfortably close, and how employees have played a role in sensing and defending. The success of this series is due to a willingness to openly tell the story and to voluntarily use attribution of those involved. Reading about colleagues in a "thrilling" story is a compelling way to remember an underlying point, and one that reinforces current topics of most concern to an organization.
First Steps in Creating Human Sensors: Email Detection
Because cyber adversaries "hack the human" (i.e., exploit human emotions such as fear and curiosity as well as trusted relationships), one of the first steps is to slow down when processing email, to instead read email defensively. Easier said than done. Using the email self-questioning technique, EARNEST, along with self-practice on actual delivered emails, can provide the first stage in building a human sensor network. At MITRE, we measured the self-practice and coupled it with "Suspicious" email reporting feedback. As a result, our human sensor network doubled the number of suspicious email reports, resulting in an increase of 3 to 1 in detecting cyber adversary attempts over other sensors. Today, our suspicious email reporting has doubled again, and our human sensor network is still very relevant to our defense. With a strong base in place, our email self-questioning technique can now be a simplified reminder: "SOS," which stands for Sender, hover Over links, and Sense.
