A recent post on the ineffectiveness of user awareness training (here) has sparked some lively discussion, some agree and others not so much. Interestingly enough those that disagree with my position seem to feel that it implies that one can make a similar argument about technology, a completely absurd leap. Anyway I was not trying to weigh user-awareness training against technology alone.
Let’s be clear about what I said…
“As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible, that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget”
Notice I said “technical and procedural controls…” Also notice I said to focus efforts, not eliminate completely, I even took the liberty of suggesting budget allocation – yeah for me!
So what are some procedural controls an organization may take to limit the probability that users may perform some action that would jeopardize the business or lead to a security incident or policy violation that does not involve traditional ineffective user awareness training.
Perform a background check of employees. Seems obvious right, this doesn’t mean an individual with a good work history, no criminal record, clean credit and who doesn’t lie on their job application will not visit a porn site and infect the company with malware, but it may weed out those that might before they even join the organization.
Define acceptable use policies and ensure all employees sign these as part of the employment process. If an organization believes that it may fall prey to malware or have to deal with a virus incident (and which do not) it is within their right to limit the vectors malware may use, such as infected websites, file-sharing software, etc. A policy that states that users are in violation of corporate policy if they do x will probably do more to limit them from doing x then hoping they fear a security incident from occurring will. (Technology works well here too, far more effective than trying to make people aware of the dangers)
Enforce policies. Policies without teeth are irrelevant, personally I think every organization should find a sacrificial lamb to slaughter once a quarter, some schmuck in marketing who is caught playing solitaire, surfing the ESPN website, reading blogs or something to ensure the masses understand their livelihood is at risk if they violate policy as opposed to simply annoying the security response team. (I am kidding about the sacrificial lamb comment btw).
There are many other procedural controls that can be implemented to deter user stupidity from leading to security incidents, such as monitoring behavior (more than a technology) or tying MBO’s to measurable productivity goals, the point is that there is no evidence that user awareness training, of any kind, does anything to deter people from risky or bad behavior and an organization is in a far better position if they assume users WILL do bad things and implement controls (technical, procedural and organizational) that limit the probability user behavior will result in a security incident or that if one occurs the organization will limit its impact.