Don’t Let Lousy Teachers Sink Security AwarenessYou can't fix a human problem with a technology solution. Here are three reasons why user education can work and six tips on how to develop a corporate culture of security.
I strongly believe that end-user awareness training is a very important part of a defense-in-depth security strategy. While we need technological controls, controls will never catch everything -- and social engineers will always find new ways to trick users into doing things they shouldn't.
The bottom line is that you can't fix a human problem with a technology solution. You need to train a culture of security.
Unfortunately, a significant portion of the InfoSec community -- including some security gurus I respect greatly -- disagree with me on this. They believe end-user education is worthless. Their arguments are wrong and here's why:
Argument No. 1: Even if training reduces bad user behavior, a mistake from one bad egg still lets threats in. This is the most inane argument against security training I've ever heard. If you are a security professional, you understand that no security control is invulnerable.
No, training will not make your users faultless security ninjas who never make mistakes, but your technical controls don't do that either. Training will, however, lower the number of mistakes users make, which lessens the pressure down the line for your technical security controls and your incident response team.
Argument No. 2: Average people don't care about security; it's too abstract of a problem. The InfoSec problem is only abstract to the people who are uninformed about the issue. The whole point of training is to inform them. It takes time to change culture, and a shift towards better InfoSec awareness is a culture change, but training does work.
Argument No. 3: Users are just ignorant lay people who don't get it; they'd have to be experts to really understand and it's just too hard to make them experts. To me, that argument is the crux of the problem. While, admittedly, this is a gross overgeneralization, a large part of the IT community seems to trivialize the intelligence and potential of the average end-user.
If you've been in the IT profession for a while, you've probably heard terms like PEBCAK (Problem Exists Between Chair And Keyboard) and luser (a users who is also a loser), or you've heard phrases like, "You can't patch stupid," or, "It's a layer eight problem." I believe over time these sorts of jokes have slowly poisoned our community into assuming the average end-user is clueless and stupid. This couldn't be further from the truth.
It's not that IT professionals don't want to be inclusive -- and really they do share their knowledge and insight. It's just that we are so used to talking to peers using our succinct, albeit harsh, shorthand, that we forget what it was like to not understand it. This makes IT or InfoSec pros lousy teachers.
The good news is it's easy to change. You can start by following six simple tips that should help improve your security awareness training success rate.
Tip No. 1: Get users on your team. Often, corporate security training comes off as, "You need to be a good employee and protect the company, and here are all the draconian rules." Rather, you should highlight how this security training directly benefits the users themselves. For example, the same InfoSec practices that help protect your company will also help employees at home. If they realize the personal benefits of this sort of training, I think you'll find they'll be much more willing to use them at work as well.
Tip No. 2: Simplify your goals and messages. Training is not about making end-users InfoSec experts. It's about sharing just enough information to foster some key behaviors. In other words, if you are training them about buffer overflows flaws, you're doing it wrong. Instead, you should be training them about how to recognize phishing emails or how to interact with unsolicited attachments. In the end, you want them to know enough about the potential problem that they will adopt the right behavior.
Tip No. 3: Don't spout acronyms without explanation. In short, don't speak in the same shorthand you use with peers. Even if you think a term or acronym is well recognized, spend the extra minute to explain it.
Tip No. 4: Examples, anecdotes, metaphors. When you are teaching security awareness, find a way to ground the subject with real examples. For my training presentation, I'm known for throwing in some sort of actual attack or "hacking" demo. You may not have the time or resources for a full demo, but you can at least share sample phishing emails, or tell stories about actual malware or attacks.
Tip No. 5: Make learning fun and interactive. There are many way to make training fun. For example, break the group into teams, give them some email samples and award a prize to the team that identifies the most potentially malicious emails. I know security is a serious subject, but if you get the group interacting and laughing, they'll be more open to the serious advice you give them.
Tip No. 6: Creating a security culture takes time. Finally, don't expect complete change overnight. Everyone wants an easy fix. Thinking you can give one presentation that will eliminate users from ever clicking on a phishing email link is not a realistic expectation. With new employees, and changes in the threat landscape, you will have to redo and update trainings a few times a year.
In my opinion, end-user security training is worth it, despite what some naysayers might claim. There's even data to support that it works. However, not all training is created equal. If we are inclusive and show passion in what we share, I think you'll find the average end-user can be converted into a resilient InfoSec neophyte, making your job a bit easier.
Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio