There’s an old story in law enforcement circles that comes from the era of revolvers. During practice, officers would dump their spent brass cartridges into their hand after shooting a round rather than letting the brass fall to the floor where other people might slip and fall on it. Officers would then take the time to put the brass in their pocket before reloading so they wouldn’t have to pick it up again when cleaning up. After real gunfights, officers were found dead with spent brass in their pockets. Did the seconds they lost pocketing their brass cost them their lives?
In his book, On Combat, Lt. Col. David Grossman describes multiple examples where law enforcement trainers have unintentionally created scenarios that incentivize not just good behaviors, but bad behaviors as well. He calls these bad behaviors “training scars”. Grossman details another habit where officers, instead of using a dummy gun, used their hands in the shape of a gun. In real life situations, officers were observed attempting to make an arrest by pointing their fingers when they needed to draw their weapons.
Reflecting on this, I wonder if our corporate cybersecurity training programs might be creating training scars? While the security community is thinking very critically about ways to measure how much we’re improving our security, we’ve got a blind spot when it comes to whether we’re creating any unintended consequences on our organizations. In the law enforcement example I used above, it took some very tragic and dangerous conditions before a deeper look was taken at how training might be creating just as many bad habits as they were breaking down.
I’m a big proponent of simulated phishing campaigns to help educate users about the dangers of clicking on links. I am a fan because I’ve seen how effective they are at reducing click through rates. But when I first launched this campaign, I worked to get buy in from our executive leadership. They only concern they had was whether there would be any unintended consequences. Would such a campaign, for example, mean that employees wouldn’t be as responsive to email? Would it change the culture of the organization from being warm and supportive to being cold and suspicious?
Unfortunately, although I have metrics to show how effective a simulated phishing campaign is, the same can’t be said of the effect of change on other habits inside the organization. Measuring culture isn’t something that anyone is doing as far as I’ve been able to determine. I’ve had a many conversations with CISOs about how we can change the culture of our organizations, and whether it is even possible or whether one person can even have a chance to make a difference. But we’re only thinking about one dimension of culture when we think about this problem: security.
This is Heisenberg’s Uncertainty Principle put into practice. Just by attempting to measure something will have an impact on that thing. The thing in question isn’t security, it’s people, and we need to think of them like the three-dimensional beings they are. I think if we in the security community were able to measure the overall culture of our organizations, not just from a security perspective, we would stand a much better chance of actually changing those cultures. Just being aware of a behavior might be enough to change it. Just asking the right questions might start the process of change.
I’ve had the opportunity to do some training with police officers a few years ago at their shooting range, and they’ve incorporated new training techniques to help defeat training scars before they’ve had a chance to form:
- As a part of their drills, they practice letting their magazines drop to the ground and immediately load another rather than carefully removing them by hand. This removes the normal etiquette of the shooting range and replaces it with an emphasis on speed and efficiency.
- They also had a mini drill for when there was any malfunction of the pistol to clear the gun immediately rather than freezing or pausing to examine the weapon.
- Drills now involve maneuvering sideways from target to target or moving towards a target rather than standing stationary. This prevents freezing and emphasizes taking advantage of your environment.
- Shooting is also done in different positions or stances, incorporating unholstering the weapon at the beginning, but progressing so that officers aren’t trained to reholster their weapon after every shot.
- Shooters practice multiple patterns of shots rather than one at a time so that they aren’t accustomed to check for success after every single shot. This assumes a degree of inaccuracy that should be expected in a messy real life scenario. It also means not tying up ego with missing a single shot, because you don’t have time to be disappointed in a gunfight.
Whether you’re conducting a tabletop exercise with executives or you’ve hired a social engineer to test your defenses, you’re engaged in an opportunity to drill and train your employees. And you should be using these opportunities to test and measure their habits, both good and bad. Just like in the law enforcement examples above, you can change training scenarios to attempt to exclude bad habits. You can attempt to have a diversity of training scenarios around the same practice so that training scars don’t have a chance to form. And you can have your drills be more like real life incidents and breaches to prevent practice etiquette from creating muscle memory.
What training scars do you have?