The topic of security awareness training has floated up to the surface
on a number of related topics lately and I’m compelled to comment on
what can only be described as a diametrically opposed set of opinions
on the matter.
Here’s a perfect illustration taken from some comments on this blog entry
where I suggested that many CIO’s simply think that "awareness
initiatives are good for sexual harassment and copier training, not
Firstly, here is someone who thinks that awareness training is a waste of time:
As to educating users, it’s one of the dumbest ideas in
security. As Marcus Ranum has famously pointed out, if it was going to
work…it would have worked by now. If you are relying on user
education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.
…and here is the counterpoint offered by another reader suggesting a different perspective:
Completely disagree. Of course you’re not going to get
through to everyone, but if you get through to maybe 80-90% then that’s
an awful lot of attacks you’ve prevented, with actually very little
effort. The reason I think it hasn’t worked yet is because people are
not doing it effectively, or that they’ll ‘get around to it’ once the
CEO has signed off all the important projects, the ones that mean the
IT Security team get to play with cool new toys.
What’s my take?
I think this is very much a case of setting the appropriate
expectations for what the deliverable and results should be from the
awareness training. I think security awareness and education can bear substantial fruit. Further, like the second reader, if the goals are
appropriately and realistically set, suggesting that 100% of the
trainees will yield 100% compliance is simply nonsense.
Again, we see that too often the "success" of a security initiative is
only evaluated on a binary scale of 0 or 100% which is simply stupid.
We all know and accept that we’ll never been 100% secure, so why would
we suggest that 100% of our employees will remember and act on 100% of
their awareness training?
What if I showed (and I have) that the number of tailgates through
access controlled access points went down over 30% since awareness training?
What if I showed that the number of phishing attempt reports to IT
Security increased 62% and click-throughs decreased by the same amount
since awareness training? What if I showed that the number of reports
of lost/stolen company property decreased by 18% since awareness
training? How about when all our developers were sent to SDLC training and our software deficiencies per line of code went down double digits?
What if I told you that I spent very little amounts of money and time
implementing this training and did it both interactively and through
group meetings and everyone was accountable and felt more empowered
because we linked the topics to the things that matter to THEM as well
as the company?
As to Marcus’ arguments
regarding the efficacy of education/awareness, he’s basically
suggesting that the reason awareness doesn’t work is (1) human
stupidity and (2) a failure of properly implementing technology that
should ultimately prevent #1 from even being an issue.
I suggest that as #2 becomes less of an issue as people get smarter
about how they deploy technology (which is also an "awareness" problem)
and the technology gets better, then implementing training and education for issue #1 becomes the element that will
help reduce the residual gap.
To simply dismiss security awareness training as a waste of time is
short-sighted and I’ve yet to find anyone who relies solely upon
awareness training as their only strategy for securing their assets.
It’s one of many tools that can effectively be used to manage risk.
What’s your take?