What non-mask wearers teach us about security awareness

elevenM Principal Arjun Ramachandran explores why observance of coronavirus restrictions and advice varies across countries and societies, and the potential lessons for those in the game of persuading people to adopt good security behaviours.  


“Wear a mask”. “Practice social distancing”. “Isolate”.

Clear, consistent, universal.

But cast your eyes from country to country, even community to community, and you see incredible variance in how the advice sticks.

The management of COVID-19 in the community highlights a core challenge in how companies cultivate positive security and privacy behaviours among their people. Clear guidance and engaging messages alone don’t always get the job done.

As public health practitioners have learned through the pandemic, and as those of us engaged in security and privacy persuasion must recognise, we work in a broader context.

The fingerprints of culture are evident in how different societies are responding to coronavirus guidelines and restrictions. Values like individualism, community, mutual obligation, respect for the elderly and deference to authority – and the extent to which they dominate a culture – clearly influence how communities behave, and how they will respond to advice and guidance.

“Maybe we’ll change our culture so that it’s not expected or brave of you to go to work sick. Maybe we’ll start to protect each other the way Asian cultures do. It’s pretty normal in Asian societies to wear a mask when you’re sick when you go out in public and to stay home if you can. We are the exact opposite. We wear masks to protect ourselves and we feel free to show up at a meeting when we have a fever.”
VICE

Sure – when you’re trying to inculcate good security or privacy practices, repeatedly broadcasting actionable advice will get these messages onto the radar of employees. Heck, if you’re clever enough to make the advice funny or entertaining, it might even go viral! You’ll have smashed a bunch of internal engagement metrics and hit some awareness goals.

But as with “Wear a mask!”, lack of awareness isn’t always the barrier. People can know what to do and still act contrarily. Or, they might follow the rules, but only in circumstances where compliance is monitored or defined.

If we want go beyond compliance, and if we want behaviours to be both lasting and self-applied across contexts, then our goal must be for employees to internalise and identify with those desirable behaviours.

That’s why we encourage organisations embarking on security or privacy education activities to look at shaping culture as a vital complement (if not a precursor) to their education and awareness activities.

Culture is ultimately an expression of shared values and beliefs expressed through collective behaviours and practices.

Research tells us that values, more specifically an alignment of values, creates conditions for people to internalise behaviours.

Yet while organisations abound in discrete bits of security advice (“don’t click this, make sure you do that”), the values underpinning the desired security and privacy behaviours are often never defined or articulated with employees. It could be as simple as revisiting the company’s existing set of corporate values and expressing how security or privacy are integral to that value set.

For staff to identify with values and desired behaviours, they will also expect to see them being exhibited and advocated by those they admire or respect. This is where an organisation’s high-profile security champions can play a role, and where its most senior leaders have a responsibility.

For more on security culture, check out our recent work.

The unfairness of cyber awareness

elevenM Principal Arjun Ramachandran explores why cyber awareness matters, despite the prevalence of seemingly unstoppable sophisticated cyber-attacks.



“Deserve got nuthin’ to do with it. It’s his time, that’s all.”
– Snoop, The Wire.

We want to believe our behaviours solely determine the outcomes we get. But it’s not always the case, especially in the complex cyber realm.

The brilliant US drama The Wire made an artform of summing up life’s hard truths in pithy one-liners, delivered in the language of the street. In Season 5, drug gang member Snoop is asked by a junior gang member whether a target really “deserves” to be “hit”. Her response (above) lays bare the unfairness at the heart of the adversarial drug war.

Cyber security too, ain’t always fair. The existence of a committed, human adversary is a significant and differentiating feature of cyber risk that those of us involved in the field should keep in mind.

Especially in the areas of security training and education. We often seek inspiration from areas like public health, where highly-acclaimed campaigns have raised awareness of the risks of smoking and sun cancer, driving down public exposure to these activities and vastly reducing the incidence of bad outcomes.

But these areas don’t have a human adversary. In cyber, for all of our awareness and reduction of risky behaviours, it remains the case that a determined, highly-sophisticated attacker could still get at a company’s crown jewels by persistently probing for small areas or moments of weakness.

The attack on the Australian National University is a shining example, recently and evocatively labelled a “diamond heist” by its vice-chancellor, rather than a “smash and grab”.

“It was an extremely sophisticated operation, most likely carried out by a team of between five to 15 people working around the clock”. – ANU vice-chancellor Brian Schmidt

While it may be true that a well-educated and aware workforce might not “deserve” to get hacked, Snoop’s street wisdom and the ANU hack suggest that increasing the awareness of end users may still not be enough to prevent the most sophisticated attacks, such as those by highly-skilled state-sponsored attackers.

And awareness on its own stands to be defeated. The UK’s National Cyber Security Centre points out that people-focused activities such as education must come with technical controls, as part of a multi-layered approach. That’s a sentiment recently echoed by the Australian Government.

“But like all other forms of security, awareness is a complement to, not replacement for, the availability of secure features. For example, drivers are provided with a seat belt in addition to education about the importance of road safety and incentives to use the seat belt. And the same expectations and requirements we have where safety is paramount should apply in cyberspace” – Australia’s 2020 Cyber Security Strategy – A call for views

But we also can’t throw the baby out with the bath water.

In our travels, we occasionally come across a certain bluntness or defeatism about cyber awareness. Because of the success of and attention given to state-sponsored attacks, education and awareness is labelled “ineffective”, technical controls are deemed all that matter.

In our view this is a severe over-correction.

It pays to remember that there exists a broad swathe of attackers – not every attacker coming for a small business (or even an enterprise) is bankrolled by a rogue state and has access to an arsenal of zero-day exploits.  

In fact, many are commercially-motivated cybercriminals of varying levels of ability, plying their trade using commodity tools purchased off underground marketplaces. They can be as sensitive to cost pressures as the CEO of a cash-poor business. Anything that makes it harder (ie costlier) to achieve their goals may be enough to deter these actors to move on to another easier, more cost-effective target.

One of the ways we help businesses do this – such as through our recently developed learning packages – is by raising employees’ awareness to the risks and also providing actionable advice on how they can make the average cyber attacker’s life that little bit more frustrating. Maybe a stronger password, or a healthier skepticism to dubious emails will do the trick.

While technical controls might overtake end-user awareness as the best response to a specific cyber threat (eg. some now argue multi-factor authentication should be prioritised as a response to phishing), when that happens an effective awareness program can re-deploy the fruitful conversation it has established with staff to the next evolving area of risk (for eg. how staff use cloud services).

In this way, over the long term awareness activities also continually embed a sense of responsibility and ownership in a workforce, acting as a precursor to and an enabler of a secure culture.