Recently I have had the opportunity to participate in a series of executive briefings around the country, generally I will co-host an event with Howard Schmidt or Andy Purdy and it provides an interesting and sometimes contrasting view of information security in the public vs. private sector as both of these gentlemen were part of the Department of Homeland Security’s Cyber Security Division. One of the topics that is usually discussed is the effectiveness of user awareness training. This was no different in the latest briefing in Atlanta where Mike Rothman, who is arguably one of the snappiest dressers in security, and Michael Santarcangello joined us and it was a pleasure to have them involved. In most cases our views are not widely disparate, although one area where it seemed there was some contention between us and the other participants was user awareness training.
Some argue that you can effectively train the average user to be “secure” – be one with the password, become the token, know the malware – personally I think it is a losing battle. Security must be transparent to the end user, controls must be implemented that support security but do no inhibit productivity of the average user. People want to believe and it is very difficult to change human nature, right now someone somewhere is opening an infected email because they truly believe someone loves them, or there is a rich Nigerian prince or the cure for baldness is awaiting them in their AOL inbox, or it is safe to print out personal banking records from an airport Kiosk in Australia (here) couple this with a never ending flow of technically oriented, security related badness flashing in front of their computer screens from new security updates to new .dat files to questions about whether they really want application x to open port y or if they want to install an application even though it isn’t signed by big M or my personal favorite “Warning you are entering an encrypted site” seriously do we really expect them to understand what any of this means, do we hope to teach them – security and technology are too dynamic for that and when presented with a question “Do you really want to do x?” users always say “yes”.
I am not against keeping people informed of threats and what they can do to minimize them, my mom won’t even open an attachment in email unless she is positive the sender actually sent the attachment intentionally. But it took years of FUD to increase her vigilance, and even today I still get the occasional “Hey I think the internet is broken again”. As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible, that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget.
I will leave you with this last real world example…
Last year as part of the IT Security Summit in London I moderated a case study on user awareness training that was presented by the CISO of a very large German based financial institution. The CISO had implemented one of the most extensive, and costly I would add, user awareness training programs I had ever seen. It included the traditional all-employee newsletters with threat updates, security training, “security is everyone’s problem” and other assorted posters, it had executive support and the company was even willing to assist in securing an employee’s home computing environment – it all sounded pretty awesome. The company wanted to understand if the program was having any effect so the CISO hired a 3rd party to perform a penetration test bounded only by social engineering methods. The results were dismal, within a very short period of time the pen testers had not only the CEO’s email but confidential information from several systems, not only were they able to social engineer themselves into various systems they even walked freely through one of the office locations by wearing t-shirts emblazoned with a flashy looking logo and carrying a clipboard and walkie-talkie around.
The CISO was disappointed, but he used this as an opportunity to implement more controls and to highlight to the executive team his conclusion that user awareness training is an ineffective security discipline and no amount of budget spent to turn the user population into security minded corporate citizens should override the need for controls that are transparent to the end-user and assume they will not do the right thing.