Ineffective User Awareness Training Revisited

A recent post on the ineffectiveness of user awareness training (here) has sparked some lively discussion, some agree and others not so much. Interestingly enough those that disagree with my position seem to feel that it implies that one can make a similar argument about technology, a completely absurd leap. Anyway I was not trying to weigh user-awareness training against technology alone.

Let’s be clear about what I said…

“As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible, that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget”

Notice I said “technical and procedural controls…” Also notice I said to focus efforts, not eliminate completely, I even took the liberty of suggesting budget allocation – yeah for me!

So what are some procedural controls an organization may take to limit the probability that users may perform some action that would jeopardize the business or lead to a security incident or policy violation that does not involve traditional ineffective user awareness training.

Perform a background check of employees. Seems obvious right, this doesn’t mean an individual with a good work history, no criminal record, clean credit and who doesn’t lie on their job application will not visit a porn site and infect the company with malware, but it may weed out those that might before they even join the organization.

Define acceptable use policies and ensure all employees sign these as part of the employment process. If an organization believes that it may fall prey to malware or have to deal with a virus incident (and which do not) it is within their right to limit the vectors malware may use, such as infected websites, file-sharing software, etc. A policy that states that users are in violation of corporate policy if they do x will probably do more to limit them from doing x then hoping they fear a security incident from occurring will. (Technology works well here too, far more effective than trying to make people aware of the dangers)

Enforce policies. Policies without teeth are irrelevant, personally I think every organization should find a sacrificial lamb to slaughter once a quarter, some schmuck in marketing who is caught playing solitaire, surfing the ESPN website, reading blogs or something to ensure the masses understand their livelihood is at risk if they violate policy as opposed to simply annoying the security response team. (I am kidding about the sacrificial lamb comment btw).

There are many other procedural controls that can be implemented to deter user stupidity from leading to security incidents, such as monitoring behavior (more than a technology) or tying MBO’s to measurable productivity goals, the point is that there is no evidence that user awareness training, of any kind, does anything to deter people from risky or bad behavior and an organization is in a far better position if they assume users WILL do bad things and implement controls (technical, procedural and organizational) that limit the probability user behavior will result in a security incident or that if one occurs the organization will limit its impact.

3 thoughts on “Ineffective User Awareness Training Revisited

  1. Pingback: » Suggested Blog Reading - Friday May 4th, 2007

  2. “There are many other procedural controls … to deter user stupidity…such as monitoring behavior (more than a technology) or tying MBO’s to measurable productivity goals”

    Hey, here’s a good use for your IT staffing money: Turning your incident handlers and security analysts into the company hall monitors.

    Seriously, are we still flirting with the idea that supervision is a technical job? This is the responsibility of middle management. If they can’t enforce corporate policy, they fail, and it should be *their* livelihood on the line. Partnering with IT to give managers tools is one thing, but asking technical staff to take on supervision for company employees is a waste of resources at several levels.

  3. first I am against monitoring users, we are already flirting with too many intrusions of privacy and I am not sure there are enough defined boundaries on how the information would be used – but here, nor there I was suggesting monitoring as a procedural control, supported through technology, but not managed by IT. It would be easy to set policies, monitor for violations of policy and then alert management or HR or whomever would be in the position to take action. I do think this is more than hall monitoring because the result could be a virus outbreak or a more significant security breach though,.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s