The ineffectiveness of user awareness training

Recently I have had the opportunity to participate in a series of executive briefings around the country, generally I will co-host an event with Howard Schmidt or Andy Purdy and it provides an interesting and sometimes contrasting view of information security in the public vs. private sector as both of these gentlemen were part of the Department of Homeland Security’s Cyber Security Division. One of the topics that is usually discussed is the effectiveness of user awareness training. This was no different in the latest briefing in Atlanta where Mike Rothman, who is arguably one of the snappiest dressers in security, and Michael Santarcangello joined us and it was a pleasure to have them involved. In most cases our views are not widely disparate, although one area where it seemed there was some contention between us and the other participants was user awareness training.

Some argue that you can effectively train the average user to be “secure” – be one with the password, become the token, know the malware – personally I think it is a losing battle. Security must be transparent to the end user, controls must be implemented that support security but do no inhibit productivity of the average user. People want to believe and it is very difficult to change human nature, right now someone somewhere is opening an infected email because they truly believe someone loves them, or there is a rich Nigerian prince or the cure for baldness is awaiting them in their AOL inbox, or it is safe to print out personal banking records from an airport Kiosk in Australia (here) couple this with a never ending flow of technically oriented, security related badness flashing in front of their computer screens from new security updates to new .dat files to questions about whether they really want application x to open port y or if they want to install an application even though it isn’t signed by big M or my personal favorite “Warning you are entering an encrypted site” seriously do we really expect them to understand what any of this means, do we hope to teach them – security and technology are too dynamic for that and when presented with a question “Do you really want to do x?” users always say “yes”.

I am not against keeping people informed of threats and what they can do to minimize them, my mom won’t even open an attachment in email unless she is positive the sender actually sent the attachment intentionally. But it took years of FUD to increase her vigilance, and even today I still get the occasional “Hey I think the internet is broken again”. As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible, that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget.

I will leave you with this last real world example…

Last year as part of the IT Security Summit in London I moderated a case study on user awareness training that was presented by the CISO of a very large German based financial institution. The CISO had implemented one of the most extensive, and costly I would add, user awareness training programs I had ever seen. It included the traditional all-employee newsletters with threat updates, security training, “security is everyone’s problem” and other assorted posters, it had executive support and the company was even willing to assist in securing an employee’s home computing environment – it all sounded pretty awesome. The company wanted to understand if the program was having any effect so the CISO hired a 3rd party to perform a penetration test bounded only by social engineering methods. The results were dismal, within a very short period of time the pen testers had not only the CEO’s email but confidential information from several systems, not only were they able to social engineer themselves into various systems they even walked freely through one of the office locations by wearing t-shirts emblazoned with a flashy looking logo and carrying a clipboard and walkie-talkie around.

The CISO was disappointed, but he used this as an opportunity to implement more controls and to highlight to the executive team his conclusion that user awareness training is an ineffective security discipline and no amount of budget spent to turn the user population into security minded corporate citizens should override the need for controls that are transparent to the end-user and assume they will not do the right thing.

16 thoughts on “The ineffectiveness of user awareness training

  1. I agree with you about leveraging technology as much as you can to deal with this issue. But I also think that most users are not stupid, and would do the right thing if they know what that is. I’m curious to see whether the penetration test helped with security awareness on the example you cite. In my experience, a successful pen-test that involves user related attacks is not only an effective tool to get things moving, like you mentioned, but a powerful user education tool as well.

  2. Awesome! From guerilla-ciso

    Mike’s version of what Security Awareness and Training should be for the average user:

    * You have no privacy on our network or computers
    * Doing this list of things will get you sent to a federal prison
    * Doing this list of things will get you fired
    * If you suspect something is strange, call the help desk
    * If you have any security-specific questions, here is how you can reach me to ask
    * Don’t do anything that seems stupid at the time, if you have to ask if it’s OK to do, then the answer is probably “no”.
    * Have a nice day

    Notice I don’t believe in trying to educate users what a firewall is, the basics of CIA, none of that. They won’t remember it, just like I try to forget everything I know about asset depreciation and the other fine points of counting beans.

  3. @Max

    I have heard the argument before that most users, or some users are not stupid – the problem is that there is no way for an organization to parse out the stupid from the non-stupid user so they must assume that users will do stupid things and implement controls against the inevitable.

    People do stupid things no matter how much information they are armed with look at drunk driving, speeding, smoking, drinking and other forms of self destructive behavior, eating fatty foods or not properly exercising – all of these have extensive information on their negative effects, heavy media attention and marketing campaigns, significant impact on our society and yet, even when armed with the information, people continue to ignore it.

    I have worked with some brilliant people in my career and in many times it was as a manager who had responsibility for parsing through an employee’s computer who was let go, laid off or quit to identify any source code, documents, or other artifacts that we needed to retain before blasting a new image on the device – these were all smart people, security people – I was amazed at the amount of porn, stolen music, documents, source code, and other “things” that should not have been on a corporate asset and the only way they could have found their way there was if the employee bypassed security policy.

  4. It’s all about context and what the users need to know. My list is for the “average” user.

    Now system administrators, they need to know some of this, like what some of the policy is, the rules for creating accounts, how to submit a Request for Change, etc.

    And your security staff needs a completely different set of training, but at that point, you’re looking at career development and the skills to help you out on a daily basis.

    Somewhere along this spectrum is the right level of training for everybody, the trick is to match the needs with the level of presentation.

  5. I wouldn’t call this ineffective at all. Awareness training is an important part for all different kinds of issues. How would you try to stop HIV or spread the words out. How about global warming! Awareness will make a difference, also for online security!

    Even my 65 year old mother knows that she should not open a .exe or .bat file. She learned that in a computer course for elderly people.

  6. What if we just have failed to come up with an effective awareness program?

    I fully support your recommendation to use technology and procedures to counter to reduce the sphere of influence by users to introduce security risks, but how do you do that for example with social engineering? (maybe replace humans with robots)

    I still believe that a beneficial security awareness program could be built up but one needs to focus less on issues that technology and procedures can solve (like malware, viruses etc.) and more on issues that the user’s behavior would directly impact and that would be difficult to prevent otherwise.
    We also know people resist change, but how do you scientifically explain that? What does go on in the brain? It’s explained in the following article. I strongly recommend reading it:

    Change Management – Understanding the
    Science of Change

  7. I am not an expert on AIDS/HIV infection but I figured the CDC had some data to see if over a given time-frame there would be any statistically significant decrease in HIV infection and they did

    “The total number of HIV/AIDS diagnoses decreased from 41,207 (CI = 40,961–41,453) in 2001 to 38,685 (CI = 37,924–39,445) in 2004; the average annual decrease was not statistically significant. A nonsignificant average annual increase occurred in the number of HIV/AIDS diagnoses among men who have sex with men (MSM), from 16,609 (CI = 16,260–16,957) cases in 2001 to 18,196 (CI = 17,609–18,782) cases in 2004 (Figure 1). From 2003 to 2004, the number of HIV/AIDS diagnoses among MSM increased 8%; this increase was statistically significant (p

  8. Um, all that case study says to me. Chris, is that the particular [‘very costly’] awareness program failed to prevent a social engineering pen test, NOT that security awareness *as a whole *is a failure. The truth is that doing security awareness well is quite difficult but not necessarily expensive (the two are independent variables). The main problem I see is that techies are not good at interacting with Ordinary People. With respect, Chris, your blog ably demonstrates my point. Technies tend to see things in technical terms. We understand and respect technology. Ordinary mortals don’t understand IT and either loathe it or are in awe of it – either way, they inhabit a different world from us. There are plenty of low- and medium-cost options, both technical and non-technical, to make security awareness more effective. NIST SP 800-50 talks through a few of them and provides a useful framework to help understand them – including the differences between security awareness, training and education.

    Kind regards,

  9. Pingback: » Suggested Blog Reading - Thursday May 3rd, 2007

  10. Pingback: Ineffective User Awareness Training Revisited « Observations of a digitally enlightened mind

  11. Pingback: Does Security Awareness Work? Some Answers from Experimental Research |

  12. Pingback: Does Security Awareness Work (pt. 2)? It all Depends on What You Mean by “Work” |

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s