Endpoint

4/7/2015
10:30 AM
Joe Ferrara
Joe Ferrara
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

So, You 'Dont Believe In' Security Education?

You're in the minority for a reason. Here's why.

I’ve heard any number of cyber security professionals downplay the effectiveness of employee awareness and training initiatives. I get it. IT experts love their technologies and their gadgets. It’s why they do what they do for a living. To get these individuals to concede that human safeguards are as important as technical safeguards can be an uphill battle.

But what I don’t get are the industry leaders who put no stock in security education whatsoever. These individuals don’t just downplay the effectiveness of training, they flat out tell people to give up on it. Flying in the face of studies by PwC, IBM, Aberdeen, and others, they’ve publicly shared opinions like these:

  • "Employees can't be expected to keep the company safe…Security training will lead to confusion more than anything else." -- Dave Aitel, in CSO
  • "Training users in security is generally a waste of time." -- Bruce Schneier, in Schneier on Security
  • "Give up on the idea of training this problem away." -- Anup Ghosh, in SecurityWeek

I couldn’t disagree more. And before you chalk that up solely to the fact that I am the CEO of a security education company, my strongly-held belief in the power and effectiveness of user education is much deeper than my drive for success in pursuit of a business opportunity. Quite frankly, I simply don’t understand why people who clearly value education in some contexts are willing to disregard its merits as it pertains to employees’ security behaviors.

Why the assumption that employees can’t learn to be safer?
I find it interesting (okay, outrageous) that security experts and industry players who vocally bash employee training have themselves benefitted immensely from education and who no doubt seek well-educated, experienced individuals to assist them in both their professional and personal lives. It is education, after all, that enables a high school graduate to become a brain surgeon. It’s training that allows an IT generalist to get up to speed and effectively manage a proprietary software platform. It’s education programs that inform employees about company-specific policies and procedures and allow them to execute against plans and directives.

Why the concession that those types of education bear fruit, but security education does not?

It’s important to explore the motivations of the anti-education crowd. Some of the most outspoken anti-education promoters are hardware and software executives — and they’re in the business of selling you network security products. So where do their loyalties lie?

The difference is that I would never tell you to turn off firewalls, disable email filters, or banish technical safeguards. It isn’t an “either-or” in my book. In fact, I think education is most effective when it works with technology to strengthen an organization’s overall security posture. But companies that are not educating their employees are doing themselves a disservice by overtaxing their hardware and software and thereby deciding that their IT teams are better suited to fighting fires from preventable mistakes than they are to furthering business goals.

The dangers of downplaying education
I shared what some opponents of security education have had to say. Now here are some quotes from industry experts who support security education:

  • "Untrained employees drain revenue…Companies without security training for new hires reported average annual financial losses of $683,000, while those [that] do have training said their average financial losses totaled $162,000." – from Key findings from the 2014 US State of Cybercrime Survey (PwC) 
  • "It’s important to educate employees on an ongoing basis about identifying suspicious communications and potential risks to the organization." -- from IBM Security Services, 2014 Cyber Security Intelligence Index 
  • "Between June 2007 and March 2012, Aberdeen has completed 29 independent benchmark studies on a wide variety of topics in IT Security and IT GRC, involving more than 3,500 enterprises from a diverse mixture of geographies, industries and sizes. On average, just over half (53%) of the leading performers across these 29 studies invested in awareness and education for their end-users, compares to less than a third (31%) of laggards. Stated another way, leaders were 70% more likely on average than laggards to indicate investments and current capabilities in this area." – from The Last Mile in IT Security: Changing User Behaviors (Aberdeen)
  • "Employee awareness is critical to the success of any security program…Because adversaries often target employees with social engineering schemes, 100% of respondents should implement an effective employee-training program."  -- From The Global  State of Information Security® Survey 2014 (PwC)

Interestingly enough, I have never heard a return on investment or risk reduction argument from the anti-education crowd. Their advice doesn’t appear to be based on statistics or studies, just personal preferences.

[Learn more from Joe about the importance of user security education during his conference session, Social Engineering Lesson FromThe Real World, Friday, May 1, at Interop Las Vegas.]

But what I find most dangerous about the anti-education mindset is that it promotes stagnation within organizations. If there is no possibility of your staff learning anything new, perhaps all the hardware and software companies should stop innovating because new technologies require educated individuals to implement. If education is not of value, perhaps organizations should stop requesting resumes and applications and simply pluck individuals from the sidewalk and put them in business-critical roles.

Ridiculous? Yes! And why? Because there are always avenues for improvement. And all of those roads are forged by education. Industry data overwhelmingly supports the value of security education. The naysayers are just choosing to ignore the data and spew personal opinions rather than empirical evidence. 

Joe Ferrara is the President and CEO of Wombat Security Technologies. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia, and he received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jayjacobs
50%
50%
jayjacobs,
User Rank: Author
7/21/2015 | 9:46:40 AM
Fighting opinion with opinion
What I'm reading here is an opinion combating other opinions.  I wish there was more studies like the one you cited saying "Companies without security training for new hires reported average annual financial losses of $683,000, while those [that] do have training said their average financial losses totaled $162,000."  That is at least a start in measuring the effectiveness of employee training. 
pagliusi
50%
50%
pagliusi,
User Rank: Apprentice
4/9/2015 | 9:56:27 PM
Really nice article.
Congratulations! I agree with you completely.
crussell22401
50%
50%
crussell22401,
User Rank: Apprentice
4/8/2015 | 9:55:18 AM
Absolutely Vital
You definitely hit a chord with those who I reach out to. . . training, education and understanding are key to the future of our industry and to the many corporations who choose to undertake a formal program.  My experience, however, is that organizations are ill-disposed to spend the money, viewing training as ineffective and not producing the result they expect. There are forms of training (online as well as classroom) that broaden the understanding of all employees which are relatively inexpensive. Employees might consider training and protection to be important were they advised that their own personal information might be at risk without it. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/7/2015 | 4:20:12 PM
Re: Just as important
Maybe you disallow email usage for inability to spot spam & scams. That would be an incentive at least.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 4:03:26 PM
Re: Just as important
I've read about the effectiveness of real-world tests like that which makes a lot of sense to me too. But the question that always comes up is what do you do about the people who connsistently flunk the test. In-office detention?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/7/2015 | 2:58:31 PM
Re: Just as important
Security education works well with gamification. A security vendor (and I forget which one) used to run an interactive phising identification test on its site and it was far more engaging than email warnings to be alert.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/7/2015 | 2:51:18 PM
Re: Just as important
I feel that this...

"A key point would be to get users to understand if the company is breached, that truly is a breach on their personal privacy."


...should be incentive enough. I agree with you that the key is to get the employee to see the business as such and not just large entity without faces/personal aspect.
JosephD817
50%
50%
JosephD817,
User Rank: Apprentice
4/7/2015 | 10:55:33 AM
Re: Just as important
To tell you the truth, I have no real hand in user training since I work for the DoD. It is all pushed down from above and mandatory to all users.

 

A key point would be to get users to understand if the company is breached, that truly is a breach on their personal privacy.

Perhaps sometype of encentive if there are no security incidents created from within in a certain amount of time.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 10:47:36 AM
Re: Just as important
I think you hit the nail on the head, @JosephD817,. The trick is getting users to care. What are your strategies?

 
JosephD817
50%
50%
JosephD817,
User Rank: Apprentice
4/7/2015 | 10:43:29 AM
Just as important
Thanks for the read. I also agree that user awarness is of the utmost importance, as they are the reason most attacks are found.

Equally as important, I belive getting the users to have interest or a sense of ownership for the company, so they will then feel like if the company is attacked, it is an attack on themselves. Once the users gets in this mindset, they are more apt to want to protect the company and themsleves in a security perspective.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.