Careers & People
01:30 PM
Fahmida Y. Rashid
Fahmida Y. Rashid

Is Security Awareness Training Really Worth It?

Experts weigh in on the value of end-user security training, and how to make education more effective.

Download the entire new issue of InformationWeek Tech Digest, distributed in an all-digital format (free registration required).

Nothing riles up information security professionals quicker than the question of how much to invest in security awareness training. Does it work? Is it worth the money?

"There are three things you don't talk about in security: religion, politics, and security awareness training," says Jennifer Minella, VP of engineering with Carolina Advanced Digital and a member of the board for the International Information Systems Security Certifications Consortium, or (ISC)2.

Not that security training doesn't work. In the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling, the report found, as companies without security training for new hires reported average annual financial losses of $683,000, compared with companies with training that said average financial losses totaled $162,000.

Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organization's data. In (ISC)2's latest Global Information Security Workforce Study, adherence to security policy and training staff on security policy ranked No. 3 and No. 4 in effectively helping secure an organization's infrastructure.

But then there are high-profile security experts such as Bruce Schneier, CTO of Co3 Systems, who've argued that training is mostly a waste of time. Users aren't information security experts and shouldn't be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.

The dividing line?

For most enterprises, it's not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.

"It's weird that we are saying, 'Don't click,' to users," says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them, he says.

The counterpoint is that users aren't stupid and should share some responsibility in keeping their companies' secure, Minella says. All employees, regardless of role or position, are expected to represent the company's strategic goals and behave accordingly at work, at home, and on social media.

"Security is not siloed anymore, and everyone needs to work together on common business goals," she says.

Awareness, not responsibility?

The anti-training camp argues that the emphasis on security awareness training frequently means that users catch the blame when a data breach occurs. A number of recent major data breaches began with a spear-phishing email, and security departments sometimes blame the compromises on "so-and-so clicking on the email" rather than concede that the organization didn't have the right security defenses in place.

"There is a difference between awareness and relying on training users to avoid the threats," says Anup Ghosh, CEO of security software firm Invincea.

If a company wants to protect sensitive intellectual property from corporate espionage, it acquires and configures firewalls and other defenses. But if the company is concerned about spear phishing, the answer is inevitably, "'We will train the users,' which doesn't make any sense," Ghosh says. Spear phishing should not be treated as a problem with users, but rather as an attack on users requiring a technical response.

Read the rest of the story in the new issue of
InformationWeek Tech Digest (free registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/20/2014 | 6:04:35 PM
Re: EVERYONE must be part of the solution.
@aws0513 - I love the quote!  I love the book.  So many truths you can apply to life in general.

My husband takes issue with locking doors (he grew up in rural Pennsylvania) because of an old folk tale his dad told him about "Indians" attacking and pilaging homes in a village but skipping the houses that were unlocked because it was a sign of trust.

User Rank: Ninja
11/20/2014 | 5:32:25 PM
Re: EVERYONE must be part of the solution.
There is some truth to what you say @vnewman2.

"Thus, what is of supreme importance in war is to attack the enemy's strategy." - Sun-Tzu

Most cultures grasp the concept of physical security already.  Lock doors, stay away from dangerous parts of town, don't flash large amounts of money around, learn self-defense skills, don't talk to strangers unless you have an exit plan or are in a public place that you feel is safe.  Entire industries live off of the fact that there are dangerous people in our world.

But for some reason, especially on the civilian side of things, that danger has not been fully recognized or realized.  The damage caused by hackers and inside threats is not palpable to most computer users.  The breach reports look like a bunch of numbers... or just plain FUD.  No blood, few tears, no funeral processions, nothing seems to have been lost.

For the military, the systems they use to do what they need to do are all considered critical, albeit some more than others.  
If a system fails because it was not properly maintained and protected, lives could be put at risk on both sides of the front of a war or battle.  So from the day they begin basic training, military troops are taught how important it is to maintain security awareness in everything they do.  The practice becomes rote...  second nature...  just like locking the car door is for most civilians.  The practices are the same during peace-time as they are during war-time with the only exception is a hightened situational awareness when the bullets start to fly.

So... How do we get civilians to see the dangers in a similar light?
Sadly, even though I believe awareness programs are important, I do not believe they will be truly effective unless people know there are palpable repercussions for not paying attention to the information provided and acting on situations as directed.
My fear is something truly horrible will happen someday.  An event that affects everyone in a truly tragic way, that will become the catalyst for cultural change.  I do not want that to happen, but more and more it seems like a reality.
I can only hope that "harping" on the subject of information security with my peers, my coworkers, and my organization management...  every day...  eventually sinks in enough to make a difference.  I have seen a few good results.  But for every good practice, I see many more bad practices yet to be remedied or prevented.
User Rank: Strategist
11/20/2014 | 2:10:08 PM
Re: EVERYONE must be part of the solution.
@aws0513 "I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".

Exactly.  And what the end user fails to understand is that the hackers and cybercriminals of the world are always one step ahead, inventing new ways of breaching the security measures already in place.  

Maybe "training" on what to watch out for isn't enough.  Mabye we have to train people to think like a crook and to question everything more readily - much like a member of the military who is always observant of their surroundings, pays attention to details, and always on alert for anything that looks suspicious or outside the norm.
User Rank: Apprentice
11/20/2014 | 3:50:16 AM
Humans need help!
Security is never going to be top of everyone's priority list. Our research found 52% of workers did not realise that sharing work related logins was a risk. Users are human beings, they are flawed, they will always act outside the boundaries of policy (and sometimes common sense). An optimum stratergy to mitigate the risk from this unintentional insider threat is a joined up approach of better training and help from technology solutions. Technology solutions, such as UserLock, which outrightly restrict some of the bad user behavior (preventing password sharing, restrictions on network access etc), as well as helping educate and dissemeniate good behavior. This help from technology solutions helps employees get on board with security policy and reinforce the user security awareness training they recieve. 
User Rank: Apprentice
11/19/2014 | 11:49:20 AM
Re: Responsibility and Empowerment
That police analogy is apt. I was struck by the argument that focusing on security training is leading to victim-blaming, much like what happens when a crime occurs. Training is important, but we don't want IT saying "it's the users' responsibility not mine," either.

So really, *everyone* has to take part.
User Rank: Ninja
11/19/2014 | 10:26:35 AM
EVERYONE must be part of the solution.
During my 22 years of military service, I observed how IT became integral to operations for the military.
Information security practices had already been established in the military long before IT for the masses was even possible. The information security practices had to adjust, but the expectations continued to be consistent.

There are common acronyms in the military: OPSEC (Operations Security) and INFOSEC (Information Security). All units in the military are responsible for practicing OPSEC and INFOSEC as specified by various military regulations. These concepts were around when paper, typewriters, and POTS (plain old telephone systems) were the norm. These concepts still exist today, but have adapted to include the use of computers and networking technologies.

During unit compliance inspections, units are tested/evaluated for their OPSEC and INFOSEC programs. This applies to ALL units. Even though there is usually a specific team on a military installation responsible for the overall establishment of OPSEC and INFOSEC programs within the tenant units, the tenant units are measured for their compliance with that program.
I have seen situations where the oversight team for OPSEC and INFOSEC programs for a military installation did everything they could to get everyone on the right track regarding INFOSEC and OPSEC, but then see a tenant unit fail their INFOSEC or OPSEC inspections(sometimes in spectacular fashion). In classic military form, the final black mark for the evaluation hits the oversight team AND the tenant unit that failed the evaluation AND the installation commander responsible for both. In other words, even though it was the tenant unit that failed the evaluation, everyone in the chain of command is held accountable. Of course, when such things happen... well... stuff rolls down hill and collateral damage is wide sweeping.
The end result: A culture of security consciousness within the the entire installation that is consistent and considered normal. Anything "not normal" is considered not good and dealt with swiftly in an appropriate manner.
If only I could get civilian organizations to have the same culture.

Ongoing IT Security Awareness for all organization members is absolutely necessary.
EVERYONE in an organization, from the CEO to the employee sweeping the floors, is responsible for the security of the organization.
In some cases, even customers must understand the security concerns involved with doing business with an organization and accept that they must follow certain protocols in order to properly and safely receive services.

I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".
My common response: "If that were true for everyone, I would not be spending so much time on incident responses involving poor user practices."
User Rank: Moderator
11/19/2014 | 9:35:10 AM
Re: Responsibility and Empowerment
Good point, we can't expect IT to act as both the utilities companies and the police at the same time, there must be some responsibility on employees to be vigilent when it comes to maintaining a secure work environment.  The problem is it's just way too easy for them to transfer the responsibility to say "this is the responsibility of IT security, not mine" despite them being aware that the weakest links to security tend to be the front lines: email and web interactions. 
User Rank: Moderator
11/19/2014 | 7:05:00 AM
Responsibility and Empowerment
>> "Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them".

Apply the same argument to real life: People should be allowed to do whatever they need to achieve fulfilling lives, and it's law enforcement's job to create an environment to protect them.

These are ideals, and they are not wrong to express. But there is the reality of it all. The fact is, you play a role in maintaining your own safety in life. The cops themselves will tell you they can't do it all.

We all bear some responsibility for our own security safety.
User Rank: Ninja
11/18/2014 | 3:06:02 PM
Is Security Awareness Training Really Worth It
If you believe as I do that users are the weakest link in the information security defense structure, then the answer is a resounding YES! The qualifier is that the awareness training must be coherent, relevant, and its effectiveness must be measurable.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.