Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/11/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Don’t Let Lousy Teachers Sink Security Awareness

You can't fix a human problem with a technology solution. Here are three reasons why user education can work and six tips on how to develop a corporate culture of security.

I strongly believe that end-user awareness training is a very important part of a defense-in-depth security strategy. While we need technological controls, controls will never catch everything -- and social engineers will always find new ways to trick users into doing things they shouldn't.

The bottom line is that you can't fix a human problem with a technology solution. You need to train a culture of security.

Unfortunately, a significant portion of the InfoSec community -- including some security gurus I respect greatly -- disagree with me on this. They believe end-user education is worthless. Their arguments are wrong and here's why:

Argument No. 1: Even if training reduces bad user behavior, a mistake from one bad egg still lets threats in. This is the most inane argument against security training I've ever heard. If you are a security professional, you understand that no security control is invulnerable.

No, training will not make your users faultless security ninjas who never make mistakes, but your technical controls don't do that either. Training will, however, lower the number of mistakes users make, which lessens the pressure down the line for your technical security controls and your incident response team.

Argument No. 2: Average people don't care about security; it's too abstract of a problem. The InfoSec problem is only abstract to the people who are uninformed about the issue. The whole point of training is to inform them. It takes time to change culture, and a shift towards better InfoSec awareness is a culture change, but training does work.

Argument No. 3: Users are just ignorant lay people who don't get it; they'd have to be experts to really understand and it's just too hard to make them experts. To me, that argument is the crux of the problem. While, admittedly, this is a gross overgeneralization, a large part of the IT community seems to trivialize the intelligence and potential of the average end-user.

If you've been in the IT profession for a while, you've probably heard terms like PEBCAK (Problem Exists Between Chair And Keyboard) and luser (a users who is also a loser), or you've heard phrases like, "You can't patch stupid," or, "It's a layer eight problem." I believe over time these sorts of jokes have slowly poisoned our community into assuming the average end-user is clueless and stupid. This couldn't be further from the truth.

It's not that IT professionals don't want to be inclusive -- and really they do share their knowledge and insight. It's just that we are so used to talking to peers using our succinct, albeit harsh, shorthand, that we forget what it was like to not understand it. This makes IT or InfoSec pros lousy teachers.

The good news is it's easy to change. You can start by following six simple tips that should help improve your security awareness training success rate.

Tip No. 1: Get users on your team. Often, corporate security training comes off as, "You need to be a good employee and protect the company, and here are all the draconian rules." Rather, you should highlight how this security training directly benefits the users themselves. For example, the same InfoSec practices that help protect your company will also help employees at home. If they realize the personal benefits of this sort of training, I think you'll find they'll be much more willing to use them at work as well.

Tip No. 2: Simplify your goals and messages. Training is not about making end-users InfoSec experts. It's about sharing just enough information to foster some key behaviors. In other words, if you are training them about buffer overflows flaws, you're doing it wrong. Instead, you should be training them about how to recognize phishing emails or how to interact with unsolicited attachments. In the end, you want them to know enough about the potential problem that they will adopt the right behavior.

Tip No. 3: Don't spout acronyms without explanation. In short, don't speak in the same shorthand you use with peers. Even if you think a term or acronym is well recognized, spend the extra minute to explain it.

Tip No. 4: Examples, anecdotes, metaphors. When you are teaching security awareness, find a way to ground the subject with real examples. For my training presentation, I'm known for throwing in some sort of actual attack or "hacking" demo. You may not have the time or resources for a full demo, but you can at least share sample phishing emails, or tell stories about actual malware or attacks.

Tip No. 5: Make learning fun and interactive. There are many way to make training fun. For example, break the group into teams, give them some email samples and award a prize to the team that identifies the most potentially malicious emails. I know security is a serious subject, but if you get the group interacting and laughing, they'll be more open to the serious advice you give them.

Tip No. 6: Creating a security culture takes time. Finally, don't expect complete change overnight. Everyone wants an easy fix. Thinking you can give one presentation that will eliminate users from ever clicking on a phishing email link is not a realistic expectation. With new employees, and changes in the threat landscape, you will have to redo and update trainings a few times a year.

In my opinion, end-user security training is worth it, despite what some naysayers might claim. There's even data to support that it works. However, not all training is created equal. If we are inclusive and show passion in what we share, I think you'll find the average end-user can be converted into a resilient InfoSec neophyte, making your job a bit easier.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Ariella
100%
0%
Ariella,
User Rank: Apprentice
6/11/2014 | 1:18:50 PM
tips
All excellent tips. I particularly like the reminder not to just drop acronyms. Not everyone is already familiar enough with the lingo to know what you mean, and they may not want to ask for clarification, especially in a public forum. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11083
PUBLISHED: 2020-07-14
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of...
CVE-2020-5246
PUBLISHED: 2020-07-14
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with L...
CVE-2019-12773
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product ...
CVE-2019-12783
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to &quot;crowdsource&quot; bruteforce login attempts on the targe...
CVE-2019-12784
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to &quot;crowdsource&quot; bruteforce login attempts on the target site, allowing them to guess an...