Is it Security Awareness or Training

Earlier today someone suggested that security awareness training should be delivered in a similar manner to the green cross code as the desired outcome for both activities is the same.

As a child I was a proud member of the tufty club, which taught kids from the 1960’s and early 1970’s the dangers of playing near and crossing roads. In the mid 70’s the first version of the Green Cross code was published consisting of a step by step procedure to assist pedestrians cross the road safely. Rather than squirrel and other woodland creatures the code had a superhero called the Green Cross Code man who appeared in adverts from 1975 until until 1990.

Over the years it has changed but the six key stages in the latest version are:
• Think! Find the safest place to cross, then stop
• Stop! Stand on the pavement near the kerb.
• Use your eyes and ears! Look all around for traffic, and listen.
• Wait! until it’s safe to cross If traffic is coming, let it pass.
• Look and Listen! When it’s safe, walk straight across the road
• Arrive Alive! Keep looking and listening

So what has this to do with Security awareness?  Many organisations that provide security awareness see it as training their staff to avoid breaches, but when we learned to cross the road we were made aware of the dangers whilst the dog was trained. In my opinion this generates a different mind-set and the security awareness programme needs to focus on the following 6 steps for employees to consider:

• Think! Is the email from a known person or in line with their role?
• Stop! Consider if this is something they should be doing?
• Use your eyes and ears! Look and verify the email is neither spam or a phishing attack, Listen to what colleagues are saying about suspicious emails and/or what is being said on social media.
• Wait until it’s safe! Run anti-virus/malware software on the email and/or attachment before deciding whether to open it or not.
• Look and Listen! Re-review the sender of the email and the contents to ensure it’s appropriate and genuine
• Arrive Alive! Only open the file and or click on the email attachments if it feels safe to do so.

Whilst this approach does not prescribe the perfect solution, neither did the Tufty club and green cross code as I sometimes forget to look and listen but I have not been seriously injured when crossing the road so some lessons from the fluffy tailed squirrel have been learned.