The topic of security awareness training has floated up to the surface on a number of related topics lately and I'm compelled to comment on what can only be described as a diametrically opposed set of opinions on the matter.
Here's a perfect illustration taken from some comments on this blog entry where I suggested that many CIO's simply think that "awareness initiatives are good for sexual harassment and copier training, not security."
Firstly, here is someone who thinks that awareness training is a waste of time:
As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work...it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.
...and here is the counterpoint offered by another reader suggesting a different perspective:
Completely disagree. Of course you're not going to get through to everyone, but if you get through to maybe 80-90% then that's an awful lot of attacks you've prevented, with actually very little effort. The reason I think it hasn't worked yet is because people are not doing it effectively, or that they'll 'get around to it' once the CEO has signed off all the important projects, the ones that mean the IT Security team get to play with cool new toys.
What's my take?
I think this is very much a case of setting the appropriate expectations for what the deliverable and results should be from the awareness training. I think security awareness and education can bear substantial fruit. Further, like the second reader, if the goals are appropriately and realistically set, suggesting that 100% of the trainees will yield 100% compliance is simply nonsense.
Again, we see that too often the "success" of a security initiative is
only evaluated on a binary scale of 0 or 100% which is simply stupid.
We all know and accept that we'll never been 100% secure, so why would
we suggest that 100% of our employees will remember and act on 100% of
their awareness training?
What if I showed (and I have) that the number of tailgates through access controlled access points went down over 30% since awareness training? What if I showed that the number of phishing attempt reports to IT Security increased 62% and click-throughs decreased by the same amount since awareness training? What if I showed that the number of reports of lost/stolen company property decreased by 18% since awareness training? How about when all our developers were sent to SDLC training and our software deficiencies per line of code went down double digits?
What if I told you that I spent very little amounts of money and time implementing this training and did it both interactively and through group meetings and everyone was accountable and felt more empowered because we linked the topics to the things that matter to THEM as well as the company?
As to Marcus' arguments regarding the efficacy of education/awareness, he's basically suggesting that the reason awareness doesn't work is (1) human stupidity and (2) a failure of properly implementing technology that should ultimately prevent #1 from even being an issue.
I suggest that as #2 becomes less of an issue as people get smarter about how they deploy technology (which is also an "awareness" problem) and the technology gets better, then implementing training and education for issue #1 becomes the element that will help reduce the residual gap.
To simply dismiss security awareness training as a waste of time is short-sighted and I've yet to find anyone who relies solely upon awareness training as their only strategy for securing their assets. It's one of many tools that can effectively be used to manage risk.
What's your take?