Cybersecurity Early Warning System

A previous post decried the sad state of the common company-wide mandatory annual cybersecurity training. This training is ineffective and sometimes even counterproductive. We say "counterproductive" in that it reduces cybersecurity awareness to mindless adherence to simple rules such as "don't click on stuff in email." In that post we talked about what we feel such training should contain. In this post we will describe what we feel such training should achieve.

Cybersecurity training for the masses should enlist those masses in the cybersecurity cause. Instead of hoping that people don't do anything dangerous the goal should be reports of oddness, of the unexpected or the strange. As dull as it sounds, looking into the odd, the unexpected or the strange is a great way to track down actual problems.

For example I recently saw an email that was very sophisticated spear phishing attack. This email was shown to me as a curiosity by another IT professional. The email was to a colleague and looked like an internal email from the head of the organization. Except the colleague (most definitely not a tech-savvy person) had been a bit uneasy...

• The head of the organization had never emailed him directly before.
• The language of the text was a bit...off.
• The request to do something on-line was...unexpected.

So instead of shrugging and complying the colleague had sent the email to the head of IT who had recognized it as a spear phishing attack. The head of IT thanked her colleague for his diligence and sent out a warning to everyone in the company which generated replies of several other similar attempts.

This is the goal: awareness in the rank-and-file of when they need to report something. This turns the rank-and-file into foot soldiers in the war against cyber crime instead of potential unwitting accomplices.

This happy state of affairs was not created by company-wide mandatory annual training cybersecurity training. It was created by a head of IT who is an effective communicator and who has provides her colleagues with psychological safety. In other words, her colleagues aren't afraid that she will belittle or demean them if they report something to her and that something is trivial. They are comfortable enough to pause and take time out of their day in order to make sure that everything is OK.

Rating Cybersecurity Programs (CSPs) is a bit like rating restaurants: there are many dimensions and no single factor is dominant. However one of the biggest factors in our rating of CSPs is this: are your non-CSP colleagues comfortably coming to you with things that make them uneasy?

Why is this entire topic important? Because unlike most causes of outages--hardware failure, software bugs, human error, the weather--cyber attacks are deliberate acts by other human beings. Those bad guys read about what we do and they react to it. They read about how no one wants to deal with IT and they know that if they pull a classic man-in-the-middle attack, most users will roll their eyes when web traffic is suddenly very slow but they won't sound an alarm. They read about most of the anti-malware training makes people into mindless drones--don't click on links--and so they provide what looks like a bulletin from IT explaining how to install "a priority patch" (which is actually malware), including instructions on how to by-pass common protections. This is odd, should we double-check with IT? Hell no, those guys are jerks.

When we conduct a little fieldwork and ask organizations how they rate the effectiveness of their training we usually get some statistics on the quiz at the end of the training or on the company's faux phishing expeditions. What we want to hear is something quite different: we want to hear about all the communication they get from their colleagues and how helpful that communication is.

As part of bringing behavioral science to cybersecurity, Pythia Cyber clients are surveyed for this very trait. If you want a Pythia Cyber CSP Star for cybersecurity training then you need to have a CSP that reeks of psychological safety.

That is difficult to achieve. We can help. Ask us how.