Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Ira Winkler
Ira Winkler
Connect Directly
E-Mail vvv

The Fundamental Flaw in Security Awareness Programs

It's a ridiculous business decision to rely on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state.

Most security awareness programs are at best gimmicks that will statistically fail at their goal. They intend to educate people so that they can make better decisions regarding how to behave or whether they are being conned. The programs intend to get people to think so that they eventually will behave better. This will at best achieve basic results.

Stop and consider that you are relying on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, nation-state, etc. Logically, this is a ridiculous business decision.

Stop and consider that when an organization hires a new accountant, they do not tell the person that their job is to do accounting and that bad people want to steal money, so they should be careful about it. Companies have a well-established accounting process that essentially takes away any discretion from accountants. Accountants follow the established process and they report and investigate any discrepancies. This is the same for any established business process, whether it be manufacturing, accounting, logistics, etc.

Awareness is usually not handled this way. Companies buy off-the-shelf materials, which show people different tricks and offer general advice. Videos try to be funny, which makes them slightly more memorable, but that's independent of effectiveness. The off-the-shelf materials are not specific to the company and merely provide best practices, some of which are more relevant than others to the circumstances of specific employees in specific job functions.

Consider the common W-2 phishing scams, in which criminals contact HR personnel to get them to send the criminals the data on employee W-2 statements. There may or may not be materials specific to HR function — but more likely not. The typical videos aim to have employees stop and consider if they are potentially being tricked. Again, this leaves the discretion to a person with minimal training to thwart a criminal who has likely perfected his or her crimes. There should be no wonder as to why thousands of companies fall victim to W-2 phishing scams.

The underling problem is that security managers are afraid to get involved in business processes and embed security into those processes. For example, with W-2 phishing scams, users should not have to decide if someone asking them for W-2 information is trying to trick them; they should know the established process of releasing personally identifiable information (PII). Therefore, the HR professional should know that such a request must come directly from their supervisor and be approved by the general counsel. The HR professional should not have to "stop, think, and connect," as the common awareness model would have you do, but specifically determine if the request has the appropriate approvals. Is it theoretically possible that a criminal can social-engineer the request through a supervisor and then get general counsel approval? Yes, but that is a much higher bar, and the discretion is not left to a random person.

When there is proper governance in place, all critical — if not all — business processes, are well defined in procedures or guidelines. A properly run business is not left to the discretion of an employee. Even Disney World, which is famous for allowing some customer service "cast members" unlimited discretion in how they can correct problems, has very defined procedures for how to dress, act, and even point. Security managers should look at every process and determine where there can be user discretion regarding a security-related decision or act, and then essentially define how to remove that discretion. That may include defining a decision process in a procedure or guideline, or the implementation of technology to take away the need for a user action.

The ideal awareness program focuses on reinforcing the procedures and guidelines, which have embedded security. Using the W-2 phishing scam example, you should not have random phishing videos talking about how phishers are trying to trick people, but the promotion of the specific steps required to release PII. Likewise, you should not talk about how USB drives can be lost; instead, define the specific handling of USB drives in a way that accounts for the potential for lost or stolen drives.

In the book Hacking for Dummies, I relate a story in which I used social engineering tactics to have a guard issue me a badge and sensitive access. I later received a call from the facility manager asking me for the name of the guard. I essentially informed the security manager that the fact he didn't know which guard issued me a badge was worse than the guard issuing me the badge. I also informed him that it was his fault that there was no documented process for issuing badges, and that since he couldn't point to a documented action that the guard did not follow, it was his fault the badge was issued.

Awareness programs are usually ineffective because they represent the abdication of security process to users. Users should be told about specific actions they are required to take if they are are an integral part of business processes. I frequently use the example that employees know that they should not watch pornography at work. While compliance requires that this be stressed, employees know that they can be fired without the training. People know and accept the fact that there are practices that they have to adhere to as part of their job responsibility, as a condition of continued employment. Security managers need to utilize this fact and stop abdicating their responsibility to implement security practices into business processes. This is the core function of any person overseeing a critical responsibility.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
8/14/2018 | 8:49:21 AM
Complete Agreement on this one. . .
My concern is that there seems to be a "throw their hands in the air" approach from most development teams and in the industry when it comes to trying to ensure that employees don't make a bad security choice. They have heard the mantra that "users are the weakest link" so often and for so long that they believe there is simply nothing that THEY can do to keep users from making a bad decision.

I am currently working on a doctorate in computer science in the area of usable security. And, there ARE things that can be explored to keep users safer.

1. We can alter the visual format of security messages from one instance to the next. Security messages that morph (changing shape, color, wording) - get a user's attention. Messages that look the same and read the same put users into "autopilot". Something "different" causes them to stop and pay attention - even if only briefly. But, in that brief moment - getting their attention is critical to stopping them from making a careless mistake.

2. Security messages that make no sense to the typical end-user who is NOT a security freak or techie. 

3. We rail about insecure passwords - so why aren't password managers part of every corporate security stack? Users would need minimal training and it would go far to stop the "Post-it note"- syndrome. People select the same password over and over because they can remember it. A password manager can generate a new and complex password of any length - and users don't have to remember it. 

As a security researcher and analyst, I believe that the development community could stop sighing "weakest link" and do more to support the user and business community. Security awareness training has a shelf-life of approximately two weeks according to most research. Expensive, but it provides a false sense of security.

I suggest re-thinking how development teams and designers approach user security.

Make security usable - and users will use it.

User Rank: Apprentice
7/20/2018 | 10:17:03 AM
Awareness training is more important for phishing attack
IMHO, Phishing attack is beginning of everything and I doubt every usage of email communication can be replaced by business process. For example, IT sending out email to users to do something which can be seen as instructions to users even though it could be phishing email. Security awareness training will be required as long as email, the weakest protocol of external / internal communication that we have ever created, is still being used. 
User Rank: Ninja
7/20/2018 | 8:37:04 AM
Re: Mostly true
In my firm, I would love to have every employee know that ERR Malware is watching "everything" and we will find you.  Don't think that browsing imcognito on the web is something we cannot see - we will see it!!!   And if code of conduct violation, will act upon facts and potentially walk you out of the door!   We are not interested in the occasional mistake or mis-direct.  But continued action and plain stupid are actionable.  
User Rank: Apprentice
7/19/2018 | 4:55:52 PM
Mostly true
I agree with most of your points. All processes must include security instead of doing it as an after thought or add on. I disagree that awareness training doesn't need to include examples of the undesired behavior. The real problem is the training never makes the motivation personal for the employee. 

You have correctly identified the problem with current awareness training in that it doesn't adequately prepare the employee. I feel that way becausse the generic training to fill the square doesn't adequately identify the risk and consequences to the employee. The employee only hears that it will lead to termination. Although this should create sufficient motivation that could affect the employee's lifestyle, the real consequence is the entire company could cease to exist affecting the lifestyle of more than just one. Additionally, the training doesn't emphasize how easily it could happen to any and every employee. Too many people see the news when it happens to someone else and never put it together that those other people are only different in that it already happened to them.

I believe there are only two catefories of people: those that have experienced a compromise and those that will. Those in the news already have. Those reading or hearing about haven't made it to the news yet.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...