Why Spam And Malicious Code Is Still Successful
Today I found a small article in my daily RSS feeds titled "Miracle Battery-Saver App Harvests Email Addresses for Spamming". The article is a brief analysis of a malicious application that tricks the user by pretending to do something great for saving his/her mobile phone battery life.
It immediately raised a foundational question in my mind: Why do people still trust those type of miracle offers, even clicking on "allow" to the application's permission request to read the user's contacts data (in order to acquire the personal data) and the second permission asks to access the Internet (in order to upload the personal data)?
Theoretically, Spam and its associated malicious code should be extinct already, because every computer user should be aware more or less that this bad stuff exist, and should be suspicious enough not to click links and open attachments in emails that are not obviously from a trustworthy source.
In theory, yes, but in reality Spam and malicious code still exists for the same reason as people still smoke, drink, do extreme downhill-riding or other obvious unhealthy or risky things.
The answer to the "why" question is simple: It is human behaviour. And human behaviour can be explained in a very simple formula. The Behaviour Model by BJ Fogg shows that three elements must converge at the same moment for a behaviour to occur: Motivation, Ability, and Trigger. When a behaviour does not occur, at least one of those three elements is missing.
Obviously many successful organisations are following that approach and put the right triggers in front of motivated people who have the ability to act. But also the bad guys know how to take advantage of this simple behaviour model. In the "miracle battery life saver" example above, the trigger was sent via email, successfully motivating the reader (battery life saver, free app), and calling for action on their ability of an easy-to-do installation through their mobile phone app store.
It also raises another question: How wide and deep can a proper security awareness program impact the employee usual human behaviour? I am uncertain whether the effectiveness of security awareness programs can be fully measured or not (please send me a note if you know a solid measurement method). But it becomes quite obvious that there are limitations; security awareness programs are not the silver bullet to change people behaviour and stopping them from doing stupid things. Each data loss or breach in organisations with established security awareness program seems to back up this conclusion.
Don't get me wrong, security awareness programs are still a vital element of an embracing information security approach, and each information security management system standard like ISO 27001 list security awareness as one of its essential components. But it should be very clear that the effectiveness is limited and doesn't fully prevent from good people doing stupid things (aka the well-meaning insider). And it is even much more limited in its effectiveness against malicious insiders and highly-targeted attacks.
So in addition to spend time, money and human resources on trying to teach employees to be secure, companies should also spend much focus on securing the environment, context-based access and authentication, as well as on segmenting the network and critical data.
At the end, it comes down to the eternal triangle of "People, Process and Technology" with "Information" in the center of the triangle, as well as the right balance of a multi-layer information security approach.
I would like to encourage you to have a look how Symantec can help you to secure information by reducing the risks and protecting your critical information, whether it is about getting the right threat intelligence, reducing or eliminating Spam and malicious code before they enter your network, improving your threat monitoring, or about protecting your information with efficient backup and recovery strategies.