Is user security awareness training worth it?
Back in August 2013 I blogged about the importance of IT staff training, and I’d planned to follow up shortly after that with a post about end user training. Unfortunately the challenges of a new role took over, and it’s only now I’m returning to the topic, with a particular challenge in mind, increasing end user awareness of information security threats.
The topic came to the front of my mind as I sat in a training course on Information Security Management Principles at QA Training’s training centre at International House in London. The trainer had started a discussion about the two schools of thought in the infosec industry about whether training programs to improve user security awareness are the right approach. As us trainees debated the topic I suddenly though, “why this this such a polarised debate, why is it a choice between one or the other?”
For those of you who haven’t heard the arguments before, these two quotes typify the position of the opposing sides;
“Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents”. (PwC, June 2014, ‘Key findings from the 2014 US State of Cybercrime Survey‘)
“I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design” (Bruce Schneier, March 2013, ‘Schneier on Security‘)
I find the arguments against security awareness training a bit shrill, and the cynic in me thinks such statements are intended to spark debate or create publicity, rather than make a serious point. I prefer the more balanced view presented by Fahmida Rashid in this article, where one of her key messages was that awareness ≠ responsibility. It is IT’s responsibility to secure the network, but it is users responsibility to adhere to policies (an important part of user security awareness) and report events they think are suspicious.
It’s just like driving a car
When I think about the interface between users and computers I find myself drawing parallels with driving a car (an imperfect metaphor, I know). The automotive industry has, over the years, improved the design of cars to improve their safety and security, thereby reducing the dependency on the driver to prevent or avoid accidents. Comparing the first car I drove (a 998 cc Austin Metro) to my current car (a Mazda 6 Estate), I feel far safer in the latter because of the multitude of features which reduce the probability of an accident occurring, or the impact of any accident.
The question is, can any of those design features stop me crashing if I don’t look where I’m going? Will they stop me crashing if I drive round a corner far too fast in icy conditions? No, that is down to driver training. I know how to use my car, I know it’s limits, I know how it interacts with the driving environment, and what I should and should not do.
You can’t do one without the other
Like the designers in the automotive industry, software developers need to constantly refine and improve their code, reduce risk for the ‘driver’ as far as possible, warning them when something is amiss, and ensuring that the impact of any potential incident is reduced as far as possible.
Conversely, the user needs to be trained, and whilst that training cannot be enshrined in legislation (as the driving test is, with good reason) it should be embedded within the education system from day one (primary education), and it needs to be part of the culture of any institution.
I have some ideas about how to build an awareness of information security amongst our users, which I think is quite innovative! If it works, there’ll be a set of blog posts on how we did it, and how you can re-use those ideas. If it doesn’t, there’ll probably be one grumpy post on why.