Endpoint

4/7/2015
10:30 AM
Joe Ferrara
Joe Ferrara
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

So, You 'Dont Believe In' Security Education?

You're in the minority for a reason. Here's why.

I’ve heard any number of cyber security professionals downplay the effectiveness of employee awareness and training initiatives. I get it. IT experts love their technologies and their gadgets. It’s why they do what they do for a living. To get these individuals to concede that human safeguards are as important as technical safeguards can be an uphill battle.

But what I don’t get are the industry leaders who put no stock in security education whatsoever. These individuals don’t just downplay the effectiveness of training, they flat out tell people to give up on it. Flying in the face of studies by PwC, IBM, Aberdeen, and others, they’ve publicly shared opinions like these:

  • "Employees can't be expected to keep the company safe…Security training will lead to confusion more than anything else." -- Dave Aitel, in CSO
  • "Training users in security is generally a waste of time." -- Bruce Schneier, in Schneier on Security
  • "Give up on the idea of training this problem away." -- Anup Ghosh, in SecurityWeek

I couldn’t disagree more. And before you chalk that up solely to the fact that I am the CEO of a security education company, my strongly-held belief in the power and effectiveness of user education is much deeper than my drive for success in pursuit of a business opportunity. Quite frankly, I simply don’t understand why people who clearly value education in some contexts are willing to disregard its merits as it pertains to employees’ security behaviors.

Why the assumption that employees can’t learn to be safer?
I find it interesting (okay, outrageous) that security experts and industry players who vocally bash employee training have themselves benefitted immensely from education and who no doubt seek well-educated, experienced individuals to assist them in both their professional and personal lives. It is education, after all, that enables a high school graduate to become a brain surgeon. It’s training that allows an IT generalist to get up to speed and effectively manage a proprietary software platform. It’s education programs that inform employees about company-specific policies and procedures and allow them to execute against plans and directives.

Why the concession that those types of education bear fruit, but security education does not?

It’s important to explore the motivations of the anti-education crowd. Some of the most outspoken anti-education promoters are hardware and software executives — and they’re in the business of selling you network security products. So where do their loyalties lie?

The difference is that I would never tell you to turn off firewalls, disable email filters, or banish technical safeguards. It isn’t an “either-or” in my book. In fact, I think education is most effective when it works with technology to strengthen an organization’s overall security posture. But companies that are not educating their employees are doing themselves a disservice by overtaxing their hardware and software and thereby deciding that their IT teams are better suited to fighting fires from preventable mistakes than they are to furthering business goals.

The dangers of downplaying education
I shared what some opponents of security education have had to say. Now here are some quotes from industry experts who support security education:

  • "Untrained employees drain revenue…Companies without security training for new hires reported average annual financial losses of $683,000, while those [that] do have training said their average financial losses totaled $162,000." – from Key findings from the 2014 US State of Cybercrime Survey (PwC) 
  • "It’s important to educate employees on an ongoing basis about identifying suspicious communications and potential risks to the organization." -- from IBM Security Services, 2014 Cyber Security Intelligence Index 
  • "Between June 2007 and March 2012, Aberdeen has completed 29 independent benchmark studies on a wide variety of topics in IT Security and IT GRC, involving more than 3,500 enterprises from a diverse mixture of geographies, industries and sizes. On average, just over half (53%) of the leading performers across these 29 studies invested in awareness and education for their end-users, compares to less than a third (31%) of laggards. Stated another way, leaders were 70% more likely on average than laggards to indicate investments and current capabilities in this area." – from The Last Mile in IT Security: Changing User Behaviors (Aberdeen)
  • "Employee awareness is critical to the success of any security program…Because adversaries often target employees with social engineering schemes, 100% of respondents should implement an effective employee-training program."  -- From The Global  State of Information Security® Survey 2014 (PwC)

Interestingly enough, I have never heard a return on investment or risk reduction argument from the anti-education crowd. Their advice doesn’t appear to be based on statistics or studies, just personal preferences.

[Learn more from Joe about the importance of user security education during his conference session, Social Engineering Lesson FromThe Real World, Friday, May 1, at Interop Las Vegas.]

But what I find most dangerous about the anti-education mindset is that it promotes stagnation within organizations. If there is no possibility of your staff learning anything new, perhaps all the hardware and software companies should stop innovating because new technologies require educated individuals to implement. If education is not of value, perhaps organizations should stop requesting resumes and applications and simply pluck individuals from the sidewalk and put them in business-critical roles.

Ridiculous? Yes! And why? Because there are always avenues for improvement. And all of those roads are forged by education. Industry data overwhelmingly supports the value of security education. The naysayers are just choosing to ignore the data and spew personal opinions rather than empirical evidence. 

Joe Ferrara is the President and CEO of Wombat Security Technologies. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia, and he received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jayjacobs
50%
50%
jayjacobs,
User Rank: Author
7/21/2015 | 9:46:40 AM
Fighting opinion with opinion
What I'm reading here is an opinion combating other opinions.  I wish there was more studies like the one you cited saying "Companies without security training for new hires reported average annual financial losses of $683,000, while those [that] do have training said their average financial losses totaled $162,000."  That is at least a start in measuring the effectiveness of employee training. 
pagliusi
50%
50%
pagliusi,
User Rank: Apprentice
4/9/2015 | 9:56:27 PM
Really nice article.
Congratulations! I agree with you completely.
crussell22401
50%
50%
crussell22401,
User Rank: Apprentice
4/8/2015 | 9:55:18 AM
Absolutely Vital
You definitely hit a chord with those who I reach out to. . . training, education and understanding are key to the future of our industry and to the many corporations who choose to undertake a formal program.  My experience, however, is that organizations are ill-disposed to spend the money, viewing training as ineffective and not producing the result they expect. There are forms of training (online as well as classroom) that broaden the understanding of all employees which are relatively inexpensive. Employees might consider training and protection to be important were they advised that their own personal information might be at risk without it. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/7/2015 | 4:20:12 PM
Re: Just as important
Maybe you disallow email usage for inability to spot spam & scams. That would be an incentive at least.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 4:03:26 PM
Re: Just as important
I've read about the effectiveness of real-world tests like that which makes a lot of sense to me too. But the question that always comes up is what do you do about the people who connsistently flunk the test. In-office detention?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/7/2015 | 2:58:31 PM
Re: Just as important
Security education works well with gamification. A security vendor (and I forget which one) used to run an interactive phising identification test on its site and it was far more engaging than email warnings to be alert.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/7/2015 | 2:51:18 PM
Re: Just as important
I feel that this...

"A key point would be to get users to understand if the company is breached, that truly is a breach on their personal privacy."


...should be incentive enough. I agree with you that the key is to get the employee to see the business as such and not just large entity without faces/personal aspect.
JosephD817
50%
50%
JosephD817,
User Rank: Apprentice
4/7/2015 | 10:55:33 AM
Re: Just as important
To tell you the truth, I have no real hand in user training since I work for the DoD. It is all pushed down from above and mandatory to all users.

 

A key point would be to get users to understand if the company is breached, that truly is a breach on their personal privacy.

Perhaps sometype of encentive if there are no security incidents created from within in a certain amount of time.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 10:47:36 AM
Re: Just as important
I think you hit the nail on the head, @JosephD817,. The trick is getting users to care. What are your strategies?

 
JosephD817
50%
50%
JosephD817,
User Rank: Apprentice
4/7/2015 | 10:43:29 AM
Just as important
Thanks for the read. I also agree that user awarness is of the utmost importance, as they are the reason most attacks are found.

Equally as important, I belive getting the users to have interest or a sense of ownership for the company, so they will then feel like if the company is attacked, it is an attack on themselves. Once the users gets in this mindset, they are more apt to want to protect the company and themsleves in a security perspective.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.