Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Is Security Awareness Training Really Worth It?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Thunder Cat
Thunder Cat,
User Rank: Apprentice
2/7/2017 | 10:42:03 AM
There are a bunch of organizations that focus on employee awareness training. They vary from do it yourself to fully managed. If anyone is curious here are some of the most popular ones;
  • PeopleSec
  • Wombat     
  • Knowbe4   
  • PhishMe    

User Rank: Apprentice
11/29/2016 | 9:08:27 AM
Secuirty is a shared responsibility
I agree with everyone who has commented on the subject. Security against cyberattacks and other digital risks is a shared responsibility by all employees within the organization.

As businesses move their shops to the internet and start to do transactions online, security becomes a responsibility of everyone in the organization. In the case of our company, we had our employees undergo online digital awareness training under Career Academy to further improve their awareness of the risks of cyberattacks. The added knowledge increases our confidence in minimizing opportunities for external threats to infiltrate our online shop.

Kudos to the author.
User Rank: Strategist
11/20/2014 | 6:04:35 PM
Re: EVERYONE must be part of the solution.
@aws0513 - I love the quote!  I love the book.  So many truths you can apply to life in general.

My husband takes issue with locking doors (he grew up in rural Pennsylvania) because of an old folk tale his dad told him about "Indians" attacking and pilaging homes in a village but skipping the houses that were unlocked because it was a sign of trust.

User Rank: Ninja
11/20/2014 | 5:32:25 PM
Re: EVERYONE must be part of the solution.
There is some truth to what you say @vnewman2.

"Thus, what is of supreme importance in war is to attack the enemy's strategy." - Sun-Tzu

Most cultures grasp the concept of physical security already.  Lock doors, stay away from dangerous parts of town, don't flash large amounts of money around, learn self-defense skills, don't talk to strangers unless you have an exit plan or are in a public place that you feel is safe.  Entire industries live off of the fact that there are dangerous people in our world.

But for some reason, especially on the civilian side of things, that danger has not been fully recognized or realized.  The damage caused by hackers and inside threats is not palpable to most computer users.  The breach reports look like a bunch of numbers... or just plain FUD.  No blood, few tears, no funeral processions, nothing seems to have been lost.

For the military, the systems they use to do what they need to do are all considered critical, albeit some more than others.  
If a system fails because it was not properly maintained and protected, lives could be put at risk on both sides of the front of a war or battle.  So from the day they begin basic training, military troops are taught how important it is to maintain security awareness in everything they do.  The practice becomes rote...  second nature...  just like locking the car door is for most civilians.  The practices are the same during peace-time as they are during war-time with the only exception is a hightened situational awareness when the bullets start to fly.

So... How do we get civilians to see the dangers in a similar light?
Sadly, even though I believe awareness programs are important, I do not believe they will be truly effective unless people know there are palpable repercussions for not paying attention to the information provided and acting on situations as directed.
My fear is something truly horrible will happen someday.  An event that affects everyone in a truly tragic way, that will become the catalyst for cultural change.  I do not want that to happen, but more and more it seems like a reality.
I can only hope that "harping" on the subject of information security with my peers, my coworkers, and my organization management...  every day...  eventually sinks in enough to make a difference.  I have seen a few good results.  But for every good practice, I see many more bad practices yet to be remedied or prevented.
User Rank: Strategist
11/20/2014 | 2:10:08 PM
Re: EVERYONE must be part of the solution.
@aws0513 "I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".

Exactly.  And what the end user fails to understand is that the hackers and cybercriminals of the world are always one step ahead, inventing new ways of breaching the security measures already in place.  

Maybe "training" on what to watch out for isn't enough.  Mabye we have to train people to think like a crook and to question everything more readily - much like a member of the military who is always observant of their surroundings, pays attention to details, and always on alert for anything that looks suspicious or outside the norm.
User Rank: Apprentice
11/20/2014 | 3:50:16 AM
Humans need help!
Security is never going to be top of everyone's priority list. Our research found 52% of workers did not realise that sharing work related logins was a risk. Users are human beings, they are flawed, they will always act outside the boundaries of policy (and sometimes common sense). An optimum stratergy to mitigate the risk from this unintentional insider threat is a joined up approach of better training and help from technology solutions. Technology solutions, such as UserLock, which outrightly restrict some of the bad user behavior (preventing password sharing, restrictions on network access etc), as well as helping educate and dissemeniate good behavior. This help from technology solutions helps employees get on board with security policy and reinforce the user security awareness training they recieve. 
User Rank: Apprentice
11/19/2014 | 11:49:20 AM
Re: Responsibility and Empowerment
That police analogy is apt. I was struck by the argument that focusing on security training is leading to victim-blaming, much like what happens when a crime occurs. Training is important, but we don't want IT saying "it's the users' responsibility not mine," either.

So really, *everyone* has to take part.
User Rank: Ninja
11/19/2014 | 10:26:35 AM
EVERYONE must be part of the solution.
During my 22 years of military service, I observed how IT became integral to operations for the military.
Information security practices had already been established in the military long before IT for the masses was even possible. The information security practices had to adjust, but the expectations continued to be consistent.

There are common acronyms in the military: OPSEC (Operations Security) and INFOSEC (Information Security). All units in the military are responsible for practicing OPSEC and INFOSEC as specified by various military regulations. These concepts were around when paper, typewriters, and POTS (plain old telephone systems) were the norm. These concepts still exist today, but have adapted to include the use of computers and networking technologies.

During unit compliance inspections, units are tested/evaluated for their OPSEC and INFOSEC programs. This applies to ALL units. Even though there is usually a specific team on a military installation responsible for the overall establishment of OPSEC and INFOSEC programs within the tenant units, the tenant units are measured for their compliance with that program.
I have seen situations where the oversight team for OPSEC and INFOSEC programs for a military installation did everything they could to get everyone on the right track regarding INFOSEC and OPSEC, but then see a tenant unit fail their INFOSEC or OPSEC inspections(sometimes in spectacular fashion). In classic military form, the final black mark for the evaluation hits the oversight team AND the tenant unit that failed the evaluation AND the installation commander responsible for both. In other words, even though it was the tenant unit that failed the evaluation, everyone in the chain of command is held accountable. Of course, when such things happen... well... stuff rolls down hill and collateral damage is wide sweeping.
The end result: A culture of security consciousness within the the entire installation that is consistent and considered normal. Anything "not normal" is considered not good and dealt with swiftly in an appropriate manner.
If only I could get civilian organizations to have the same culture.

Ongoing IT Security Awareness for all organization members is absolutely necessary.
EVERYONE in an organization, from the CEO to the employee sweeping the floors, is responsible for the security of the organization.
In some cases, even customers must understand the security concerns involved with doing business with an organization and accept that they must follow certain protocols in order to properly and safely receive services.

I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".
My common response: "If that were true for everyone, I would not be spending so much time on incident responses involving poor user practices."
User Rank: Moderator
11/19/2014 | 9:35:10 AM
Re: Responsibility and Empowerment
Good point, we can't expect IT to act as both the utilities companies and the police at the same time, there must be some responsibility on employees to be vigilent when it comes to maintaining a secure work environment.  The problem is it's just way too easy for them to transfer the responsibility to say "this is the responsibility of IT security, not mine" despite them being aware that the weakest links to security tend to be the front lines: email and web interactions. 
User Rank: Moderator
11/19/2014 | 7:05:00 AM
Responsibility and Empowerment
>> "Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them".

Apply the same argument to real life: People should be allowed to do whatever they need to achieve fulfilling lives, and it's law enforcement's job to create an environment to protect them.

These are ideals, and they are not wrong to express. But there is the reality of it all. The fact is, you play a role in maintaining your own safety in life. The cops themselves will tell you they can't do it all.

We all bear some responsibility for our own security safety.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-25
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template sy...
PUBLISHED: 2022-06-25
Raytion 7.2.0 allows reflected Cross-site Scripting (XSS).
PUBLISHED: 2022-06-25
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the serve...
PUBLISHED: 2022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated A...
PUBLISHED: 2022-06-25
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can resul...