The Fundamental Flaw in Security Awareness Programs ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

cbear42,
User Rank: Strategist
8/14/2018 | 8:49:21 AM

Complete Agreement on this one. . .

My concern is that there seems to be a "throw their hands in the air" approach from most development teams and in the industry when it comes to trying to ensure that employees don't make a bad security choice. They have heard the mantra that "users are the weakest link" so often and for so long that they believe there is simply nothing that THEY can do to keep users from making a bad decision.

I am currently working on a doctorate in computer science in the area of usable security. And, there ARE things that can be explored to keep users safer.

1. We can alter the visual format of security messages from one instance to the next. Security messages that morph (changing shape, color, wording) - get a user's attention. Messages that look the same and read the same put users into "autopilot". Something "different" causes them to stop and pay attention - even if only briefly. But, in that brief moment - getting their attention is critical to stopping them from making a careless mistake.

2. Security messages that make no sense to the typical end-user who is NOT a security freak or techie.

3. We rail about insecure passwords - so why aren't password managers part of every corporate security stack? Users would need minimal training and it would go far to stop the "Post-it note"- syndrome. People select the same password over and over because they can remember it. A password manager can generate a new and complex password of any length - and users don't have to remember it.

As a security researcher and analyst, I believe that the development community could stop sighing "weakest link" and do more to support the user and business community. Security awareness training has a shelf-life of approximately two weeks according to most research. Expensive, but it provides a false sense of security.

I suggest re-thinking how development teams and designers approach user security.

Make security usable - and users will use it.

Reply | Post Message | Messages List | Start a Board

100%

imbbtg,
User Rank: Apprentice
7/20/2018 | 10:17:03 AM

Awareness training is more important for phishing attack

IMHO, Phishing attack is beginning of everything and I doubt every usage of email communication can be replaced by business process. For example, IT sending out email to users to do something which can be seen as instructions to users even though it could be phishing email. Security awareness training will be required as long as email, the weakest protocol of external / internal communication that we have ever created, is still being used.

Reply | Post Message | Messages List | Start a Board

50%

REISEN1955,
User Rank: Ninja
7/20/2018 | 8:37:04 AM

Re: Mostly true

In my firm, I would love to have every employee know that ERR Malware is watching "everything" and we will find you. Don't think that browsing imcognito on the web is something we cannot see - we will see it!!! And if code of conduct violation, will act upon facts and potentially walk you out of the door! We are not interested in the occasional mistake or mis-direct. But continued action and plain stupid are actionable.

Reply | Post Message | Messages List | Start a Board

100%

danley,
User Rank: Apprentice
7/19/2018 | 4:55:52 PM

Mostly true

I agree with most of your points. All processes must include security instead of doing it as an after thought or add on. I disagree that awareness training doesn't need to include examples of the undesired behavior. The real problem is the training never makes the motivation personal for the employee.

You have correctly identified the problem with current awareness training in that it doesn't adequately prepare the employee. I feel that way becausse the generic training to fill the square doesn't adequately identify the risk and consequences to the employee. The employee only hears that it will lead to termination. Although this should create sufficient motivation that could affect the employee's lifestyle, the real consequence is the entire company could cease to exist affecting the lifestyle of more than just one. Additionally, the training doesn't emphasize how easily it could happen to any and every employee. Too many people see the news when it happens to someone else and never put it together that those other people are only different in that it already happened to them.

I believe there are only two catefories of people: those that have experienced a compromise and those that will. Those in the news already have. Those reading or hearing about haven't made it to the news yet.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

US Turning Up the Heat on North Korea's Cyber Threat Operations

Jai Vijayan, Contributing Writer, 9/16/2019

MITRE Releases 2019 List of Top 25 Software Weaknesses

Kelly Sheridan, Staff Editor, Dark Reading, 9/17/2019

WeWork's Wi-Fi Exposed Files, Credentials, Emails

Dark Reading Staff 9/20/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

Enterprise Connect Conference & Expo 2020 - Registration Now Open!

More Informa Tech Live Events

White Papers

[eBook] It's Time to Embrace the Cloud

Tales from the Dark Web

Security 911: How to Be a Zero-Day Network First Responder

How to Get Visibility into Destructive Objects with Speed, Accuracy & Scale

The SIEM Buyers Guide for 2020

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: "He's too shy to invite me out face to face!"

Cartoon Archive

Current Issue

7 Threats & Disruptive Forces Changing the Face of Cybersecurity

This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

The State of IT Operations and Cybersecurity Operations

Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.

Download Now!

How Enterprises Are Developing Secure Applications

0 comments

The State of Cyber Security Incident Response

0 comments

How Enterprises Are Attacking the Cybersecurity Problem

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-16669
PUBLISHED: 2019-09-21

The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.

CVE-2019-16656
PUBLISHED: 2019-09-21

joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database.

CVE-2019-16657
PUBLISHED: 2019-09-21

TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.

CVE-2019-16658
PUBLISHED: 2019-09-21

TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.

CVE-2019-16659
PUBLISHED: 2019-09-21

TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.

Terms of Service
Privacy Statement
Legal Entities