Cyber attacks: education, not awareness, key to reducing effects of crime

The increased frequency of cybersecurity advisories being published by governments is great for awareness. We’re even starting to see joint advisories being issued by allies, such as the recent publication by the US, UK and Australian authorities covering the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020.

While this is a step in the right direction that helps to address the very real global risk of cyber attacks, there is still a gap that authorities seem unable to bridge: awareness is not the same as education.

Education vs awareness

Awareness helps a person to understand that something exists, but it does not necessarily help them grasp why it matters. Awareness does not answer the ‘so what’ question that we all naturally have. The systemic apathetic approach that many organisations have towards managing cyber risk is at the root of why we now see cyber incidents being reported on the front pages of news outlets daily.

Education is what matters, and governments have a duty to ensure they educate instead of stopping at awareness. As with any topic, the people you are trying to educate learn much more effectively when the teacher can articulate why it matters and how it relates to them. Without helping a person make that connection, there is little chance of making them care.

Take the joint advisory mentioned previously from July 2021, for example. The summary starts by telling the reader that organisations must patch their systems because attackers routinely target software vulnerabilities. It then dives straight into the technical details and begins to talk about “arbitrary code execution”, “arbitrary file reading”, “path traversal”, “remote code execution”, and “elevation of privilege”.

At this point, any non-cybersecurity professional is likely to stop reading. But the advisory has not answered the so what question, beyond the usual rhetoric the public has grown accustomed to hearing and learned to tune out.

Everyone is your audience

Authors of advisories like this will argue that the intended audience is ultimately the technical team; therein lies the systemic challenge we must overcome. For most technical teams, the information contained in advisories will already be known to them. All the advisory has managed to achieve is to collate information into a single ‘government ratified’ document.

The attitude that non-technical stakeholders are not the intended audience must change. In the past, this approach was the standard. But it is no longer acceptable.

All public cybersecurity advisories must cater for non-technical audiences as well as technical ones. They must answer the so what question right at the beginning. The technical details matter, but they should be in the body of the document. This is good structural writing that we all learned in school. Yet so many fail to remember this is the key to good communication once they enter the professional world.

Use plain language and talk about impact

Instead of starting with terms like “arbitrary code execution” and “arbitrary file reading”, the executive summary of the advisory mentioned above would have been better served by talking about the key business risks that the vulnerabilities posed to organisations.

For example, how many of the common vulnerabilities being referenced typically lead to data breaches? Which ones are most used as part of an attacker’s path in ransomware attacks? Which companies and industries are more susceptible to each vulnerability? What are the typical impacts to organisations for each business risk?

The answers to some of these questions will likely require collaboration between the government and industry. Everyone involved should view this as an opportunity to ground the answers to the above questions in reality and gather feedback on the key messages that are likely to resonate with the senior leadership of organisations.

Using plain language to help contextualise the so what goes a long way. Doing so allows the reader to connect with the messages being communicated. Most importantly, providing context steps the content up from building awareness to being educational.

This education helps senior leadership understand the so what and generates the conversations required to prioritise remediation steps.

Effective real change

The Avertro Cyber Leadership Effectiveness Study, 2021 found that many leaders in government departments responsible for delivering these messages still take a compliance-driven approach to managing cyber risk. The same study found that one of the keys to cyber resilience is to ensure senior leadership takes a strategic, transformational approach to managing cyber risk instead of a compliance-driven one.

Until senior leadership in government departments take a primarily strategic, transformational approach to managing cyber risk, their external messages and advisories will continue to raise awareness, but fail in being truly educational.

Only by educating, can we make a significant impact in reducing the effect of cybercrime on society.

Image credit: ©stock.adobe.com/au/escapejaja