I’ve heard any number of cyber security professionals downplay the effectiveness of employee awareness and training initiatives. I get it. IT experts love their technologies and their gadgets. It’s why they do what they do for a living. To get these individuals to concede that human safeguards are as important as technical safeguards can be an uphill battle.
But what I don’t get are the industry leaders who put no stock in security education whatsoever. These individuals don’t just downplay the effectiveness of training, they flat out tell people to give up on it. Flying in the face of studies by PwC, IBM, Aberdeen, and others, they’ve publicly shared opinions like these:
- "Employees can't be expected to keep the company safe…Security training will lead to confusion more than anything else." -- Dave Aitel, in CSO
- "Training users in security is generally a waste of time." -- Bruce Schneier, in Schneier on Security
- "Give up on the idea of training this problem away." -- Anup Ghosh, in SecurityWeek
I couldn’t disagree more. And before you chalk that up solely to the fact that I am the CEO of a security education company, my strongly-held belief in the power and effectiveness of user education is much deeper than my drive for success in pursuit of a business opportunity. Quite frankly, I simply don’t understand why people who clearly value education in some contexts are willing to disregard its merits as it pertains to employees’ security behaviors.
Why the assumption that employees can’t learn to be safer?
I find it interesting (okay, outrageous) that security experts and industry players who vocally bash employee training have themselves benefitted immensely from education and who no doubt seek well-educated, experienced individuals to assist them in both their professional and personal lives. It is education, after all, that enables a high school graduate to become a brain surgeon. It’s training that allows an IT generalist to get up to speed and effectively manage a proprietary software platform. It’s education programs that inform employees about company-specific policies and procedures and allow them to execute against plans and directives.
Why the concession that those types of education bear fruit, but security education does not?
It’s important to explore the motivations of the anti-education crowd. Some of the most outspoken anti-education promoters are hardware and software executives — and they’re in the business of selling you network security products. So where do their loyalties lie?
The difference is that I would never tell you to turn off firewalls, disable email filters, or banish technical safeguards. It isn’t an “either-or” in my book. In fact, I think education is most effective when it works with technology to strengthen an organization’s overall security posture. But companies that are not educating their employees are doing themselves a disservice by overtaxing their hardware and software and thereby deciding that their IT teams are better suited to fighting fires from preventable mistakes than they are to furthering business goals.
The dangers of downplaying education
I shared what some opponents of security education have had to say. Now here are some quotes from industry experts who support security education:
- "Untrained employees drain revenue…Companies without security training for new hires reported average annual financial losses of $683,000, while those [that] do have training said their average financial losses totaled $162,000." – from Key findings from the 2014 US State of Cybercrime Survey (PwC)
- "It’s important to educate employees on an ongoing basis about identifying suspicious communications and potential risks to the organization." -- from IBM Security Services, 2014 Cyber Security Intelligence Index
- "Between June 2007 and March 2012, Aberdeen has completed 29 independent benchmark studies on a wide variety of topics in IT Security and IT GRC, involving more than 3,500 enterprises from a diverse mixture of geographies, industries and sizes. On average, just over half (53%) of the leading performers across these 29 studies invested in awareness and education for their end-users, compares to less than a third (31%) of laggards. Stated another way, leaders were 70% more likely on average than laggards to indicate investments and current capabilities in this area." – from The Last Mile in IT Security: Changing User Behaviors (Aberdeen)
- "Employee awareness is critical to the success of any security program…Because adversaries often target employees with social engineering schemes, 100% of respondents should implement an effective employee-training program." -- From The Global State of Information Security® Survey 2014 (PwC)
Interestingly enough, I have never heard a return on investment or risk reduction argument from the anti-education crowd. Their advice doesn’t appear to be based on statistics or studies, just personal preferences.
But what I find most dangerous about the anti-education mindset is that it promotes stagnation within organizations. If there is no possibility of your staff learning anything new, perhaps all the hardware and software companies should stop innovating because new technologies require educated individuals to implement. If education is not of value, perhaps organizations should stop requesting resumes and applications and simply pluck individuals from the sidewalk and put them in business-critical roles.
Ridiculous? Yes! And why? Because there are always avenues for improvement. And all of those roads are forged by education. Industry data overwhelmingly supports the value of security education. The naysayers are just choosing to ignore the data and spew personal opinions rather than empirical evidence.