Building a Cybersecurity and Privacy Learning Program: NIST Releases Draft SP 800-50 Rev. 1
I was recently asked to review and provide feedback for a new draft NIST document – Building a Cybersecurity and Privacy Learning Program: NIST Releases Draft SP 800-50 Rev. 1. I noted the following points throughout and although the review was line by line, I have summarised them below:
Employee Engagement & Feedback:
- Lacks mention of understanding contextual such as organisational or psychological factors that may influence the level of engagement with security and their motivation to learn new behaviours for the good of the organisation they work for.
- Training needs to reflect employee feedback and attitudes as well as knowledge to better understand the extent to which knowledge will be retained and for how long.
- This is why it is important to understand the needs of the employees in planning education and training and not base training methods on assumptions. Security teams need to be realistic of the time employees can apply to training and identify ways (perhaps through assessment on joining an organisation) whether training is indeed required. A ‘one size fits all’ approach is not appropriate for all audiences and risks disengagement with security.
- Feels like employee feedback and perspective is missing throughout in identifying and reporting risk. I appreciate this document is for the policy of education and training (and learning) but feedback is a critical component of that, not just following the delivery of training (in a perhaps top-down approach) but involving employees in the design of initiatives and training solutions to better create engagement and a positive security culture.
- It is not just about measuring specific behaviours or number of incidents, reports, phishing statistics – motivation, attitudes, feedback, also needs to be collected and compared pre and post campaign (see ENISA study from Anima People 2022)
- Leading by example is not just about doing training but engaging people with security and creating a security culture through active participation in whatever communications methods are adopted internally e.g., lunch-in’s, CEO newsletters, Team days…
- Insider threat should also be included as a consideration and possible response to a psychological contract breach that may occur because of a negative impact on the individual and their resulting lack of motivation towards security or supporting positive efforts in the organisation’s interests. It is not just about level of access and whether they are a privileged user, but whether they may pose an insider threat or have access to systems which may require additional assessments or monitoring – why is this not reflected at all in this document?
- The use of words such as “mechanisms” encapsulates technical approaches but not socio-technical approaches.
- It is not just about knowledge, skills and capability, but also self-efficacy (the confidence and will to carry out those skills) – see Angela Sasse, as well as attitudes, intentions, commitment, loyalty and trust in the organisation (psychological factors). You cannot use the term ‘culture’ without addressing these critical aspects.
- To achieve a culture of personnel engagement one needs to look beyond knowledge and skills gaps, but towards employees’ environment within that organisation and whether it is conducive to meeting the outcomes of any program.
- There are also scenario-based evaluation techniques available which identify risk within organisations and the requirements for training.
- NIST talk extensively about culture and then want to encourage organisations to use phishing simulations as a key metric? This only works to turn off employees with security and are a weak metric. Why not obtain feedback directly instead?
Context and Feedback
- Needs to address not only the learning needs but any barriers that may exist to prevent learning from occurring such as psychological or organisational factors
- A cybersecurity culture is the outcome over an elongated time of various events and responses and so these need to be considered in terms of their influence on culture i.e., the impact of mergers and acquisitions on employee attitudes and behaviour towards security, conflict within the organisation as well as psychological contract breaches and other HR or employee-related issues.
- There is a lack of understanding or opportunity for exploration as to how security relates to employees and what scenarios may exist and what actions should be taken by security teams. The document is often too complex and convoluted.
- Guidance lacks how deficiencies in organisational culture can be determined. Fine if you have psychologists and behavioural scientists in the team but most organisations have a tick box approach to security based on the NIST framework, which is not conducive to understanding organisational culture or employee engagement through obtaining feedback and gentle assessments.
- The document assumes that learning should be a program when in fact it may be more of an approach. Also, it may not be learning that is required but an evaluation as to what barriers may exist within organisations to prevent learning or the adoption of security behaviours.
- Also, the security values of the organisation are not once mentioned throughout this document. It is assumed that employees possess them and, given the appropriate training, will create a security culture, which is often not the case at all. This language suggests a top-down approach in trying to force employees to engage with security through programs created in a box.
Learning Content Material
- Organisations need to consider how appropriate the learning material is for different audiences considering different ways of learning for different audiences and prevent a ‘one size fits all’ approach.
- Is it just about new hire training or is it also about understanding security values and whether employees are a good fit for the organisation from the start?
- Adapting training to respect the challenges leadership may have on their time and priorities, especially in times of change e.g., mergers and acquisitions.
- Identify the needs of their audiences and encourage the development of material that is tailored to different groups.
- Throughout the document there is still an assumption that there is a program that can be perfect for an organisation. It is an approach that is required as ‘program’ facilitates an over-reliance on tick-box in the box training solutions, when there are more complex factors involved when considering the adoption of security behaviour and a secure culture, which cannot be created through a single out of the box solution. There needs to be a holistic approach to security which encapsulates data and factors from different corners of the organisations in a bottom-up as well as middle up and middle down approach. NIST should encourage an approach which respects the complexity of humans and cultures that may exist within organisations and do their best to prevent an over-reliance on commercial one-stop-shop solutions. A way to lift the rock and evaluate the current human factors environment and how to tailor approaches to best match socio-technical vulnerabilities.
- The document fails to address the important aspect of meeting the needs of the employees, which can be measured (e.g., Net Promoter Score) as well as those who may have specific learning needs, not just those with disabilities but how culture and background can influence ways of learning.
- This whole document assumes the way to change long-term behaviour is through commercial generic training programs, but these are not working.
Partnerships and Working across Teams
- More engagement is needed with national and international initiatives and campaigns such as ENISA’s ECSM in the month of October.
- Security teams should be encouraged to align with HR to promote a security culture with security values, so employees are aware right from the recruitment and selection stage how the organisation perceives itself to prioritise security in keeping employees secure.
- To prevent a hierarchical top-down approach, employees should also be represented on a committee where awareness and learning is to be designed and implemented.
- Work cross-departmentally (including HR) to understand barriers that may exist to prevent the adoption of new behaviours or the participation in cybersecurity training.
To summarise, the NIST document is based on core assumptions and is preventing an evolution in the approach to how we engage employees with security and identify risk at the preventative stage, prior to counterproductive behaviour ensuing, and a one size fits all approach is not fit for purpose and fails to incorporate or give due respect to academic and industrial research in socio-technical security.
Strategy starts with understanding your audience. This is not reflected in this document and reads more like the instruction manual for a basic commercial product.
NIST is influencing organisations once again to buy into expensive cybersecurity solutions which may not be what the organisation needs in terms of managing risk. There may be much larger factors at play, such as espionage, conflict, the company going into administration etc.
This is making it too easy for commercial security awareness vendors to miss the point and create metrics that pose as ‘human risk’ metrics but don’t reflect an evolving culture or human factors environment. This is a marginally faster horse solution, completely ignoring the existence of cars, and completely ignoring the elephant in the room.
Awareness is yesterday’s horse cart – now we have cars. It is about engagement and long-term behaviour change by dealing with core issues, not superficial issues.
Fundamentally, the assumptions that lie beneath this document are not addressed and encourages a hamster wheel approach. Those that have been working in this space for several years and appreciate the challenges that exist within organisations frown at this discourse. Awareness is not the point, and neither is top-down learning. It starts with understanding issues, unturning the rock and tailoring solutions to meet the needs of the people that serve to protect and serve the organisation. This whole guidance serves to put the responsibility onto employees, completely ignoring other organisational or psychological issues that may at play. It’s time to change the discourse to facilitate a positive impact on employees, their motivation towards security, and an intrinsic security culture. We have evolved at least 3-5 years from the position this document defends and completely ignores modern academic and industrial research. Why would NIST ignore this valuable information and not try to facilitate positive change and improvements? What chance do we have otherwise?