« VMware's VMsafe: The Good, the Bad, the Bubbly... | Main | VMWare's VMSafe: Security Industry Defibrilator....Making Dying Muscle Twitch Again. »

February 29, 2008

Why Security Awareness Campaigns Matter

Childscratchinghead_2 The topic of security awareness training has floated up to the surface on a number of related topics lately and I'm compelled to comment on what can only be described as a diametrically opposed set of opinions on the matter.

Here's a perfect illustration taken from some comments on this blog entry where I suggested that many CIO's simply think that "awareness initiatives are good for sexual harassment and copier training, not security."

Firstly, here is someone who thinks that awareness training is a waste of time:

As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work...it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.

...and here is the counterpoint offered by another reader suggesting a different perspective:

Completely disagree. Of course you're not going to get through to everyone, but if you get through to maybe 80-90% then that's an awful lot of attacks you've prevented, with actually very little effort. The reason I think it hasn't worked yet is because people are not doing it effectively, or that they'll 'get around to it' once the CEO has signed off all the important projects, the ones that mean the IT Security team get to play with cool new toys.

What's my take?

I think this is very much a case of setting the appropriate expectations for what the deliverable and results should be from the awareness training.  I think security awareness and education can bear substantial fruit.  Further, like the second reader, if the goals are appropriately and realistically set, suggesting that 100% of the trainees will yield 100% compliance is simply nonsense.

Again, we see that too often the "success" of a security initiative is only evaluated on a binary scale of 0 or 100% which is simply stupid. We all know and accept that we'll never been 100% secure, so why would we suggest that 100% of our employees will remember and act on 100% of their awareness training?

What if I showed (and I have) that the number of tailgates through access controlled access points went down over 30% since awareness training? What if I showed that the number of phishing attempt reports to IT Security increased 62% and click-throughs decreased by the same amount since awareness training?  What if I showed that the number of reports of lost/stolen company property decreased by 18% since awareness training?  How about when all our developers were sent to SDLC training and our software deficiencies per line of code went down double digits?

What if I told you that I spent very little amounts of money and time implementing this training and did it both interactively and through group meetings and everyone was accountable and felt more empowered because we linked the topics to the things that matter to THEM as well as the company?

As to Marcus' arguments regarding the efficacy of education/awareness, he's basically suggesting that the reason awareness doesn't work is (1) human stupidity and (2) a failure of properly implementing technology that should ultimately prevent #1 from even being an issue.   

I suggest that as #2 becomes less of an issue as people get smarter about how they deploy technology (which is also an "awareness" problem) and the technology gets better, then implementing training and education for issue #1 becomes the element that will help reduce the residual gap.

To simply dismiss security awareness training as a waste of time is short-sighted and I've yet to find anyone who relies solely upon awareness training as their only strategy for securing their assets. It's one of many tools that can effectively be used to manage risk.

What's your take?

11:13 AM in Security Awareness |

Technorati Tags: , , , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/866734/26646532

Listed below are links to weblogs that reference Why Security Awareness Campaigns Matter:

Comments

*Standing O*

It is one of the tools that should be in every portfolio. People use and misuse computers; computers don't misuse themselves. I use awareness training a lot, and it works -- just in a different space from where a firewall works.

Awareness can reduce the number of successful phishing and virus attacks, reduce the number of security vulnerabilities in applications, and reduce the number of security mistakes in system configurations. Awareness can also get you more funding. It's all good.

Posted by: shrdlu | February 29, 2008 at 01:17 PM

I would agree with you. If training is done correctly it can be very beneficial, but if it's for instance sent out as a Powerpoint slide that people can delete or just reply back that they read odds are they are never going to look at it.

I have seen security briefings where the person putting together the briefing made glaring mistakes. This would lead people to not listen or just chalk every bit of the briefing up as wrong.

I also agree that few if any companies/organizations I have worked with tried to relate it to myself or my coworkers. Most relate how it will directly benefit the 'big picture'. I have yet to see one show the direct impact on each individual person.

Posted by: Jesse | February 29, 2008 at 01:18 PM

Awareness training will not solve all of your problems by itself, but it should be a key component to an organizations security strategy.

Like you, and others have said, I think it comes down to how you go about making the users aware. Presenting it so they can relate directly to incidents, making it interactive, and showing them results of why it matters can be the difference between success and failure. Too often however; a generic email after an incident is sent out to all employees, which is not going to sink in for those who even bother to read it. Another key point I like to stress to users is that being security conscious will help them when they leave the office and jump online at home. I find that when you start talking about their bank information and assets it suddenly hits home.

I have been in organizations where users feel that by the time data (email, website, etc.) reaches them it must be safe because IT is scanning everything. Sometimes they just don't know any better and need to be shown the light. You will not get through to everyone, but if you can get through to just 10% of your user base it could make a big impact.

Posted by: DanO | February 29, 2008 at 02:53 PM

Agreed. It’s mostly just throwing baby food at the wall to see what sticks. It’s like saying that email filters aren’t effective because phishing still occurs and spam still gets through. Perhaps policies aren’t effective because some folks don’t follow them. Awareness training is just another tool in the toolbox.
Sure Ranum can make a joke about human stupidity, that’s funny. But people can be the strongest defense, as we all know because they can also be the strongest offense.

Posted by: Jay | February 29, 2008 at 03:04 PM

I think I've made my feelings known here and on my blog in the past, so I'll try not to bang the drum too long. :)

I agree with you and even Marcus at the same time. And the points of the three comments above mine, especially shrdlu's.

I like your statement that as #2 decreases we can worry less about #1. The problem is that #2 only gets better when technology stops changing so dramatically. At least with every new technology we can try and make progress from the start. Kinda like dragging your squad out into the field and setting up a camp. They get the camp all squared away and by then it's time to leave. Next night the camp has a whole new set of challenges like maybe an exposed hillside with tough winds. They get better each time setting up camp, but still have to deal with something new every time that can introduce mistakes, ropes that get worn, and other challenges.

I also feel that security awareness is about teaching people what your technical controls are. About teaching them why policies are the way they are, not just dictating what they can or cannot do.

Posted by: LonerVamp | February 29, 2008 at 03:17 PM

Could we possibly paint with a wider brush? Maybe more generalizations? Talking about education or awareness programs without assessing the environment is meaningless.

In situations with a target audience of educated professionals with a vested interest in the health of the company, it is foolish not to educate them. On the other hand, if we're talking about an environment where equipment and peripherals must be bolted down to keep the employees from stealing them, these employees are more likely to be click-happy AFTER security training- they want to break things. Many people in low wage positions hate their jobs and their employers, they are simply not good candidates for training.

Most of the situations we face fall somewhere in between, and if you do not analyze the situation and plan accordingly you will not get the best results.

I do think that education can help, but it will not solve anything by itself. It may even help a little in "hostile" environments- if you set your expectations accordingly (very low) and focus most of your efforts on the people who are likely to respond.

I leave you with the immortal words of Robert A. Heinlein, "Never try to teach a pig to sing. You waste your time and you annoy the pig."

Posted by: Jack Daniel | February 29, 2008 at 10:26 PM

I dont think that anyone would ever say get rid of everything else and focus on user education as your sole defense but it does help. And you should definitely help the users help themselves when you can either through stripping known dangerous types of attachments, turning on or installing phishing protection, using alternate browsers, locked down GPOs if you are in a Windows environment but most of those only work when you know something is on the naughty list.

I'm fortunate enough to get to target users on our pen-tests and 9/10 times we get a shell from a client side before we find a network vulnerability, especially on the external look. with everything else once we identify it we start trying to fix that weak link. Most users are trying to do good and usually no one wants to get their network owned because "they" clicked on that link. If they are presented decent focused training people will pay attention and just maybe they'll teach their kids how not to get taken advantage of on the net and we will get that next generation of computer savy people. Saying all users are idiots and not even trying to educate them is really the equivalent to throwing your hands up in the air and quiting.

this was in interesting quote by peter Tippet

"Security awareness programs also offer a high rate of return, Tippett said. “Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?”

http://blogs.zdnet.com/threatchaos/?p=532 (the blog author disagrees)

Posted by: CG | March 01, 2008 at 03:47 AM

Making security awareness training relevant to individuals is perhaps one of the biggest challenges (well, that and trying to work out how to cover as many employees as possible with a meagre budget!)

One approach I have seen is to target users personal computing usage. So, offer 'drop-in' sessions, flyers, good practice guidelines on how to secure their own computers, how to avoid common phishing scams, how to deal with malware and so forth - above all, make it relevant to the individual and their personal computing needs. From there, it is then possible to link to how the same 'good practice advice' is relevant to the corporate workplace.

It's like trying to impart a sense of 'personal ownership' into the whole information security thing - if that makes sense...

Posted by: fatbloke2 | March 03, 2008 at 07:53 AM

'Making security personal' is almost but not quite right. 'Making security relevant, interesting, engaging and worthwhile' would be better, but what about making it fun too? Security is such a dry, boring topic to most people. Worse still, they are often the ones who "have a job to do" and see security as an impediment. Making security awareness work even for tough audiences (the 10-20% noted earlier) takes creativity and persistence, plus some understanding of human psychology and attention to detail and quality in the awareness materials and their presentation. Here's a basic example: some of us "think in pictures" meaning that presentation materials with graphics are more likely to register than printed words. Some like to be told stuff, and often to discuss things. Others are book worms. An awareness program that sticks to one or other method is unlikely to engage all the intended audience very effectively.

Security awareness is not intended to be the sole control. It complements technical, managerial, physical and procedural controls.

To me, it's the glue that binds the whole information security management system together.

And makes security stick in employees' heads.

Kind regards,
Gary Hinson

Posted by: Gary Hinson | March 15, 2008 at 04:02 PM

Post a comment

If you have a TypeKey or TypePad account, please Sign In

My Photo

Lijit Search

Disclaimer

  • The views and opinions expressed here are those of Christofer Hoff only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.

About

Add me to your TypePad People list
Subscribe to this blog's feed

Recent Posts

Recent Comments

Archives

July 2008

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Categories

People You Should Know / Blogs You Should Read

Books I'm (Actually) Reading