B.A.C.K.S stands for Behaviour, Attitude, Culture, and Knowledge for Security. This is an integral part of the Baseline program, to help identify the areas that require attention.
The entire Baseline process provides an excellent base for analysis of what human issues are being encountered now, and what level of controls and best practice we are aiming for.
It also provides an excellent tool to plan the best methods of education as well as what else needs to be done to address the human factor. Behaviour, unlike awareness, is the ultimate objective of any campaign of this type.
Just creating awareness or knowledge alone, won’t succeed in identifying the staff’s understanding of:
- security principles,
- their attitudinal and Cultural issues,
- their Knowledge and Understanding of the topics,
- their Motivation, and Ego based concerns
- which all ultimately lead towards changes in their behavioural
The Baseline also provides us with an excellent tool to focus the training components into where they are best needed. It’s like using a scalpel rather than a shotgun approach. We can identify the topics, by department of down to individual users, if needed, that should be addressed.
These areas of concern are broken down into four specific areas:
- Knowledge – Do your staff actually understand the information.
- Attitude – what are their attitudinal contributors that are being impacted by internal and external factors
- Culture – How is the culture of TRC impacting attitudes and subsequently, behaviour
- Behaviour – how are they behaving and how would they behave in certain circumstances.
All these areas provide an invaluable tool and subsequent report to ensure the maximum success from the program to reduce the human risk associated with security.
A Baseline is used going forward to measure against for all activities in the future. Training alone won’t provide any real metrics of the success of the program.
The metrics that are ultimately used, leading to a change in behaviour are:
- Improvement in knowledge, understanding and retention, not just completion of the training course,
- Reduced susceptibility to social engineering attacks,
- Improved physical security behavioural change,
- Following of the security culture,
- Increase in reporting of suspicious activities
- Decrease in response to attacks,
- Increase in verbal communications about suspicious activities,
- Undertaking a more active role in acceptance of responsibility
- And ultimately, an improvement in behaviour towards security as a whole.
Layer 8 Security provides Australian built and focused training activities, reinforcement activities, games, articles, tools, security awareness week, ongoing measurement and tuning of the program, Australian built and focused email and SMS Phishing tools which provide actual localised and configures simulated attacks, and all of our services and tools can be configured to your organisation with local voiceovers if you wish.
We have been providing these services for over 8 years now with many local, national and international customers.