At last week’s RSA 2013 security conference, four prominent members of the security industry participated in an emotionally charged debate (at least for the audience) concerning whether or not end user security awareness training was critical to end user security or more beneficial towards implementing controls to protect users from themselves. The panel was made up of Bruce Schneier (BT), Dave Aitel (Immunity), Fran Brown (Stach & Liu), and Hord Tipton (ISC2). In a one-sided discussion that did not include anyone from the security awareness training community, the panel members were adamant in their insistence that end user security awareness training was a waste of time and resources. …Since there was no audience Q&A portion of the debate, I’m going to rebut a couple of the arguments the panel mentioned as reasons why they did not support end user security awareness training.
Stop Chasing the 100% Success Rate
In his opening remarks, Dave Aitel started off the debate by listing some statistics that described how frequently his testing team was able to trick users that had presumably taken a security awareness course into falling for an email phishing attack. Aitel concluded that since security awareness training could not stop 100% of the users from falling prey to a phishing attack, then security awareness training was a waste of time and resources. This is a misguided conclusion because no single layer of security- for example, security awareness training- will ever be 100% effective in stopping an attack. Using multiple layers of security, also known as “defense in depth”, is the key to protecting users and sensitive data from attacks. Security awareness training is just one layer of an organization’s defenses- just like installing firewalls on a network or using an intrusion detection system. Neither of those security tools will stop every attack, but when used together, they decrease the risk of a successful attack. By having users complete a thoughtfully designed security awareness training program, an organization will mitigate the risk of a data breach occurring.
Some Things Change, BUT Some Stay the Same
Bruce Schneier began his dismissal of the value of end user security awareness training by stating that awareness training was not useful when dealing with environments that were constantly changing. While it is true that attackers are continually creating new attacks, our applications are continually updated with new functionality, and our operating systems are continually being patched, there are elements within a user’s computer experience that remain unchanged. For example, it is common for users to send each other links within an email. Users have been doing this for years and years and will probably continue the practice. Yet, we also know that attackers will attempt to send a user a malicious link within an email in hopes they will click on it. Since this is a user experience that will most likely not change in the near future, a security awareness course can instruct a user about the dangers of clicking on links within emails. A well-designed security awareness course will focus on insecure user behavior that is unchanging so that the lessons learned are ones that can be applied for years to come.
Finding the Silver Lining
The debate about the value of end user security awareness training left me feeling very disappointed. Without any security training providers to defend the value of their security awareness courses, the debate felt very one-sided against their value. …However, there was a silver lining. After the debate, the moderator took a poll of the hundred or so members of the audience to find out how many believed that end user security awareness training was valuable: It appeared that around 75% of the audience still felt like training was important. Perhaps, in their opinion, they also believed that a well-designed end user security awareness course that focused on common insecure user behavior could be a valuable layer of defense within an organization. Insecure behavior by users, such as an employee of a bank sending sensitive data within an unencrypted email-which actually led to one of my coworkers having his identity stolen while applying for a home loan- can certainly be minimized with the implementation of end user security awareness training.
Final Thoughts
By not giving our users security awareness training, we are relying on “hope nothing bad happens” as a defense. …Good luck with that.