Perimeter

3/19/2013
07:39 AM
Bruce Schneier
Bruce Schneier
Commentary
50%
50%

On Security Awareness Training

The focus on training obscures the failures of security design

Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater failings in security design.

In order to understand my argument, it's useful to look at training's successes and failures. One area where it doesn't work very well is health. We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons. One basic reason is psychological: We just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now.

Similarly, computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.

Another reason health training works poorly is that it’s hard to link behaviors with benefits. We can train anyone -- even laboratory rats -- with a simple reward mechanism: Push the button, get a food pellet. But with health, the connection is more abstract. If you’re unhealthy, then what caused it? It might have been something you did or didn’t do years ago. It might have been one of the dozen things you have been doing and not doing for months. Or it might have been the genes you were born with. Computer security is a lot like this, too.

Training laypeople in pharmacology also isn't very effective. We expect people to make all sorts of medical decisions at the drugstore, and they're not very good at it. Turns out that it's hard to teach expertise. We can't expect every mother to have the knowledge of a doctor, pharmacist, or RN, and we certainly can't expect her to become an expert when most of the advice she's exposed to comes from manufacturers' advertising. In computer security, too, a lot of advice comes from companies with products and services to sell.

One area of health that is a training success is HIV prevention. HIV may be very complicated, but the rules for preventing it are pretty simple. And aside from certain sub-Saharan countries, we have taught people a new model of their health and have dramatically changed their behavior. This is important: Most lay medical expertise stems from folk models of health. Similarly, people have folk models of computer security (PDF). Maybe they're right, and maybe they're wrong, but they're how people organize their thinking. This points to a possible way that computer security training can succeed. We should stop trying to teach expertise, pick a few simple metaphors of security, and train people to make decisions using those metaphors.

On the other hand, we still have trouble teaching people to wash their hands -- even though it’s easy, fairly effective, and simple to explain. Notice the difference, though. The risks of catching HIV are huge, and the cause of the security failure is obvious. The risks of not washing your hands are low, and it’s not easy to tie the resultant disease to a particular not-washing decision. Computer security is more like hand washing than HIV.

Another area where training works is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test to be allowed to drive a car. One reason that works is because driving is a near-term, really cool, obtainable goal. Another reason is even though the technology of driving has changed dramatically over the past century, that complexity has been largely hidden behind a fairly static interface. You might have learned to drive 30 years ago, but that knowledge is still relevant today.

On the other hand, password advice from 10 years ago isn't relevant today (PDF). Can I bank from my browser? Are PDFs safe? Are untrusted networks OK? Is JavaScript good or bad? Are my photos more secure in the cloud or on my own hard drive? The “interface” we use to interact with computers and the Internet changes all the time, along with best practices for computer security. This makes training a lot harder.

Food safety is my final example. We have a bunch of simple rules -- cooking temperatures for meat, expiration dates on refrigerated goods, the three-second rule for food being dropped on the floor -- that are mostly right, but often ignored. If we can’t get people to follow these rules, then what hope do we have for computer security training?

To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behaviors to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.

Even if we could invent an effective computer security training program, there's one last problem. HIV prevention training works because affecting what the average person does is valuable. Even if only half of the population practices safe sex, those actions dramatically reduce the spread of HIV. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in. As long as we build systems that are vulnerable to the worst case, raising the average case won't make them more secure.

The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones. Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested. That's how we should be designing security interfaces. And we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.

If we security engineers do our job right, then users will get their awareness training informally and organically from their colleagues and friends. People will learn the correct folk models of security and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. That makes a whole lot more sense.

Bruce Schneier is chief security technology officer at BT, and the author of several security books as well as the Schneier On Security blog. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Jeff LoSapio
50%
50%
Jeff LoSapio,
User Rank: Apprentice
3/19/2013 | 5:41:18 PM
re: On Security Awareness Training
This debate continues with too many absolute positions. -Is anything in security absolute? -We spend a ton of money on AV, firewalls, IDS, etc... yet there are still virus infections and network breaches. -Should we throw our hands up and declare all of this technology worthless because bad things keep happening? -Whatever happened to the notion of defense-in-depth? -If we can agree that end users are vulnerabilities (or sometimes actual threats), then shouldn't we attempt to "remediate" the issue with training? -And yes, it's not 100% successful, but neither are the majority of technical security controls. -Risk management is about transferring, avoiding, or reducing negative impacts. -So if we can train a material percentage of end users to avoid risky behavior, then haven't we reduced risk? -And isn't that in the job description?

The problem with most security awareness programs is that they were designed to meet a compliance requirement, and not designed to be effective in changing employee behavior.

Who designed the program at your company? -Most likely a security manager or engineer who has no experience in communications, training, or content development. -Would you let someone from your HR group configure the firewall?-

How often is your awareness program updated? -Most likely once a year, if ever.

Do you have any quantifiable goals for the program? -Besides counting how many people attended a boring presentation or watched a boring CBT.

The media seems to love this debate, and yet there are rarely any articles about the benefits of awareness training or profiles of successul programs. --
Ben0xA
50%
50%
Ben0xA,
User Rank: Apprentice
3/19/2013 | 6:48:44 PM
re: On Security Awareness Training
I respectfully disagree. My rebuttal ->-http://ben0xa.com/security-awa...
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/19/2013 | 9:10:49 PM
re: On Security Awareness Training
I have seen a lot of impassioned debate on this topic on Twitter today. I'd love to hear what readers have experienced with their internal user training programs, as well as the point about investing more in security training for developers.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Ben0xA
50%
50%
Ben0xA,
User Rank: Apprentice
3/19/2013 | 9:48:55 PM
re: On Security Awareness Training
Kelly, I talk a lot about how we changed our program and what happened with our users during my DerbyCon 2012 talk. It's a fundamental change to the user security awareness program. It's not about a 2 hour jam session once a year. It's about investing in the education of the user base. The trainings must die, but education needs to take it's place.

I talk about this in my blog post listed below in the comments as well as link to my DerbyCon talk.
EGALLAGHER240
50%
50%
EGALLAGHER240,
User Rank: Apprentice
3/20/2013 | 8:38:42 PM
re: On Security Awareness Training
From personal experience (at a previous employer) I dropped our virus counts over 200% in the course of a year by providing simple training/tips on a continual basis to my users.- (not just once a year, train, sign off and forget)- I did it via emails every week or so about the latest attack vectors and general security topics.- Once you get the users interest and buy-in, the rest is easy.- Published a few years ago via an article on searchsecurty.com.- http://searchsecurity.techtarg...
George Ou
50%
50%
George Ou,
User Rank: Apprentice
3/19/2013 | 10:34:35 PM
re: On Security Awareness Training
So what you're basically saying is that unless someone devises an electric shock mechanism via bluetooth or USB interface that activates whenever the user does something stupid, then user training is probably useless.n++
brunes
50%
50%
brunes,
User Rank: Apprentice
3/20/2013 | 12:43:37 PM
re: On Security Awareness Training
The one part of this I disagree with is the notion that we should be-designing-systems that force you to choose long passwords. This is already too big a problem today on the internet. I don't care if jo-schmo-blog-101's site is-compromised- so I should not be forced to create a long password there. Simmialrly, guess what, I don't really care much if someone hacks into my hulu account. The number of accounts on the internet that I actually care if they were compromised (because they store personal data that I care about) are very few and far between. Yet, EVERY website thinks that they are important enough that they need to be an iron vault.

Rather, online passwords should be obliterated, or used sparingly. Sites need to make more use of the federated identity systems of Google Twitter OpenID and Facebook. I should not need to have 150 different usernames and passwords, all of which are possible attack vectors, to use the internet. And if you are running a site and refuse to do this, then I certainly should not have to choose a 8 character alphanumeric password to post-pseudo-anonymously-on a blog like this one.

Forcing people to create ever-more complex passwords to access low-security data simply makes the problem worse and worse because people then re-use those passwords on multiple sites because they have no other sane alternatives. And then ONE of those sites is compromised, making ALL of the other sites compromised, some of which MAY be storing important information. Whereas if the user was allowed to use crappy one time passwords on these unimportant sites, it would not be a problem. Or even better, just allow login with OpenID or Google or Facebook.
stefragre
50%
50%
stefragre,
User Rank: Apprentice
3/20/2013 | 1:23:13 PM
re: On Security Awareness Training
Aside from the obvious, Bruce is right about something else, change your passwords/phrases regularly....-
slimjim00
50%
50%
slimjim00,
User Rank: Apprentice
3/20/2013 | 3:23:30 PM
re: On Security Awareness Training
I disagree. Whether you're a developer or Joe (End-Loser)
user itGs your job to be aware and cognizant of these daily threats and the
Security Engineers to inform and educate them.-
The problem of being Social Engineered is systemic from ground zero.

I think to do nothing for and just count Joe User
completely out of the picture is a sure recipe for failure.- After all Security is ever so changing and
will always be a layered approach.- After
all the End Loser is your weakest link, right next the lazy coder or
developer.- Right?
DougShieldsSecurity
50%
50%
DougShieldsSecurity,
User Rank: Apprentice
3/20/2013 | 3:48:02 PM
re: On Security Awareness Training
If the US government had taken this same defeatist-attitude regarding healthcare, we would not have affected smoking rates in this country over the years. -We have. -Also look at the buzz generated by the movie SuperSizeMe. -Employee behavior modification is the goal and it can be done effectively. -You just need the right program to get employees to think before mindlessly clicking on links, making Facebook posts, bragging about IP in a bar, etc..
solardalek
50%
50%
solardalek,
User Rank: Apprentice
3/20/2013 | 8:32:10 PM
re: On Security Awareness Training
You wrote: "If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in."

I disagree with this. -When the "bad guys get in" among the untrained, they're typically serving ads and sending spam. -More serious attacks CAN be detected and prevented with adequate training. -Successful non-fatal attacks may even encourage the untrained to seek training that will help them prevent more serious attacks in the future. -

More:-
http://tinyurl.com/bshcdvn
KMA01
50%
50%
KMA01,
User Rank: Apprentice
3/20/2013 | 9:09:44 PM
re: On Security Awareness Training
Obviously you don't know much about IT security and never had to deal with phishing and social engineering.
pjhillier
50%
50%
pjhillier,
User Rank: Apprentice
3/21/2013 | 11:42:12 AM
re: On Security Awareness Training
I particularly enjoyed Dr. Gary Hinson's response to this tripe:-http://blog.noticebored.com/20...

On a personal note, I suspect poor Bruce isn't getting enough attention lately.
Scizyr
50%
50%
Scizyr,
User Rank: Apprentice
3/25/2013 | 7:17:43 PM
re: On Security Awareness Training
I have never been a fan of Dark Reading.- My initial impressions when I first discovered it was that it was filled with a bunch of hacks who don't really know what they are talking about.- I'm glad to see my first impression was justified.-- Because Bruce doesn't know how to properly train people or care to become better at training we should all just give up on education entirely.- Don't bother teaching your kids to look both ways before crossing the road, that will ruin the fun they have playing in traffic.

In response to Bruce's direct question to the readers: "Have you ever met an actual user?"
Yes, I work with end-users daily as part of my responsibilities.- I am unfortunate to be employed by a company with hundreds of employees that has no training program in place and it is solely my responsibility to mitigate security risks.- In the few years at this position I have dramatically decreased the amount of viruses and phishing attacks by having one-on-one conversations with the end-users, explaining to them simple things they can try to detect these things.- They aren't technical and they don't learn quickly like technically-minded people but it gets them thinking about it and soon they start learning on their own.- Now they contact me when they see something suspicious on their computers.

This is just one example where very brief, low-level training has very clear and measurable benefits.-

If you really want to know why the InfoSec industry is in such a desperate state, look no further than the author of this blog post, employed as a "chief security technology officer." Bruce Schneier, may your reputation be forever blemished for authoring such nonsense.-
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 3:00:03 AM
re: On Security Awareness Training
they have no other sane alternatives.- AMS1117

Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.