Security Awareness – Changing the Behavior of Your Workforce

After closely reviewing the entire set of NERC CIP standards and their 45 supporting requirements, it is easy to notice their dominating technical security undertones.  The NERC CIP standards have a very strong emphasis on cyber critical assets, electronic security perimeters, event management / situational awareness, and identity and access management, just to name a few.  However, there is one core non-technically oriented standard – NERC CIP-004-1 – which, among other things related to personnel, focuses on security awareness and training (R1 and R2). 

When reflecting upon the security of your organization, security is comprised of technical, physical, and administrative safeguards.  Examples of technical safeguards / controls include those I previously mentioned, but in greater detail, firewalls, malicious software prevention technologies, and event monitoring and notification capabilities.  Physical safeguards focus on the security of facilities and equipment, such as video surveillance, biometric access control technologies, and reception areas and escorting practices.  Finally, administrative safeguards focus on concerns including workforce security, incident management, security awareness, and business continuity planning and disaster recovery. 

In the context of non-technical security safeguards, the question becomes, “What is among the most effective ways in which an organization can enhance its security posture?”  The answer is security awareness when the focus of security awareness is to enact behavioral change among the entire workforce.  That is, security awareness should focus on changing workforce behavior by reinforcing acceptable security business practices; you do not want the business practices of the workforce to introduce undesirable risk to your organization. 

You may have noticed repetitive mentioning of the word “behavior.”  Why is the behavior of your workforce so important?  Consider the following:

• A <choose role here> is entering a control center and holds the door open for someone nearby, even though the <choose role here> does not recognize the person.
• A <choose role here> has completed the use of ESP architecture diagrams and wads them up into a ball and disposes of them in the trash can (i.e., vs. shredding the architecture documents.)
• A <choose role here> uses the same password for all network and application access, which consists of the combination of the first names of his two pet dogs – “StanJake”.
• A security guard at the main reception area leading into a generation plant engages in good conversation with a visitor and allows the visitor unescorted access into the generation plant.
• A <choose role here> clicks on an email attachment from someone he does not recognize simply due to curiosity regarding the contents of the attachment.

These are just a few examples of behaviors any organization would want to prevent due to the potentially severe security risks they would pose. 

Rather than focusing your security awareness strategy on simply imparting subject matter applicable to your entire workforce under the auspices of being informational, your security awareness strategy should focus on transforming your workforce’s behavior to the specific behavior you have assessed will yield the minimal (if any) amount of risk to your organization.

www.encari.com