Cliff Kittle, a cybersecurity strategist and former Marine officer, has a post on the Cybertheory website on situational awareness worth reading. The full post is at https://cybertheory.io/situational-awareness-an-imperative-for-a-mature-cybersecurity-model; this is a summary.
69% of cybersecurity breaches are the result of human error, and lack of situational awareness is the number one cause. Kittle defines situational awareness as recognizing what is occurring in the environment and its implications for the present and future. Situational awareness is especially relevant to cybersecurity where volatility, uncertainty, chaos and ambiguity are the rule.
Work from home has increased the risk of data theft, operational disruption, brand erosion, and employee/customer compromise ten fold. A high level of situational awareness is needed to develop a cybersecurity model in which unsafe situations are recognized as critical, addressed in close to real time, and countermeasures are implemented.
Situational awareness is a mindset generally lacking in humans. People commonly focus on one activity and do not assess their surroundings. Confronted by a threat, such a person's response is emotional - fight, flight or surrender. The alternative is a planned proactive response with assertiveness, decisiveness and composure.
There are three levels of situational awareness:
- Perception - observe the activity in the environment and recognize important details.
- Assessment - process the information and diagnose the situation.
- Decision making.
In a work from home environment, every individual is an "outpost" - capable of providing an early alert but a potential vulnerability. With situational awareness training an individual has the ability to identify, process, comprehend and respond to threats.
Kittle identifies five states of awareness, four identified by colors:
- Tuned out (white) - the most vulnerable level. Individuals are unaware of threats, unprepared and respond reactively.
- Relaxed awareness (yellow) - usual level of awareness, alert to possible threats.
- Focused awareness (orange) - heightened awareness focused on a specific threat, prepared to make decisions within scope of authority.
- High alert (red) - action must be taken to counter a breach.
- Comatose - "brain freeze" usually caused by insufficient training.
Situational awareness must be developed through both formal, scenario based training and informal training through practice.
In escalating or de-escalating a situation there are three basic factors:
- Human - mental, physical and emotional states of people confronting a threat. Issues include multi-tasking resulting in unintentional blindness, tunnel vision, stress and force of habit.
- Environment - effects of friction (simple actions seem difficult and difficult impossible), uncertainty, fluidity and disorder.
- Situational - emotional reactions of denial, anger, fear, tunnel vision and decision fatigue.
All of these factors can be manipulated and addressed by training, experience and practice.
Critical thinking to improve situational awareness requires a shift from a procedural to an investigative mindset.
With the shift in the work environment due to COVID-19, remote workers need to make decisions that would formerly have been made by leadership. Decentralized decision making relies heavily on understanding the security leader's intent. Distributed authority is chaotic and the risks and rewards must be balanced. Three variables require attention:
- Trust and open communication through leadership supervision without suppressing individual initiative.
- Degree of subordinate authority will vary by individual.
- Mutual agreement between leader and subordinates integrating vision and action.
Tempo - relative speed in time - determines outcome. The typical organization does not operate at a fast enough tempo to impede an adversary. Tempo is a four step mental process: observation, orientation, decision and action. Orientation turns information into knowledge leading to good decisions on the best course of action. Once the result of action is observed, the cycle begins again. Continuous improvement enables organizations to seize the initiative from attackers. This should be the goal of situational awareness.