Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Connect Directly
E-Mail vvv

Don’t Let Lousy Teachers Sink Security Awareness

You can't fix a human problem with a technology solution. Here are three reasons why user education can work and six tips on how to develop a corporate culture of security.

I strongly believe that end-user awareness training is a very important part of a defense-in-depth security strategy. While we need technological controls, controls will never catch everything -- and social engineers will always find new ways to trick users into doing things they shouldn't.

The bottom line is that you can't fix a human problem with a technology solution. You need to train a culture of security.

Unfortunately, a significant portion of the InfoSec community -- including some security gurus I respect greatly -- disagree with me on this. They believe end-user education is worthless. Their arguments are wrong and here's why:

Argument No. 1: Even if training reduces bad user behavior, a mistake from one bad egg still lets threats in. This is the most inane argument against security training I've ever heard. If you are a security professional, you understand that no security control is invulnerable.

No, training will not make your users faultless security ninjas who never make mistakes, but your technical controls don't do that either. Training will, however, lower the number of mistakes users make, which lessens the pressure down the line for your technical security controls and your incident response team.

Argument No. 2: Average people don't care about security; it's too abstract of a problem. The InfoSec problem is only abstract to the people who are uninformed about the issue. The whole point of training is to inform them. It takes time to change culture, and a shift towards better InfoSec awareness is a culture change, but training does work.

Argument No. 3: Users are just ignorant lay people who don't get it; they'd have to be experts to really understand and it's just too hard to make them experts. To me, that argument is the crux of the problem. While, admittedly, this is a gross overgeneralization, a large part of the IT community seems to trivialize the intelligence and potential of the average end-user.

If you've been in the IT profession for a while, you've probably heard terms like PEBCAK (Problem Exists Between Chair And Keyboard) and luser (a users who is also a loser), or you've heard phrases like, "You can't patch stupid," or, "It's a layer eight problem." I believe over time these sorts of jokes have slowly poisoned our community into assuming the average end-user is clueless and stupid. This couldn't be further from the truth.

It's not that IT professionals don't want to be inclusive -- and really they do share their knowledge and insight. It's just that we are so used to talking to peers using our succinct, albeit harsh, shorthand, that we forget what it was like to not understand it. This makes IT or InfoSec pros lousy teachers.

The good news is it's easy to change. You can start by following six simple tips that should help improve your security awareness training success rate.

Tip No. 1: Get users on your team. Often, corporate security training comes off as, "You need to be a good employee and protect the company, and here are all the draconian rules." Rather, you should highlight how this security training directly benefits the users themselves. For example, the same InfoSec practices that help protect your company will also help employees at home. If they realize the personal benefits of this sort of training, I think you'll find they'll be much more willing to use them at work as well.

Tip No. 2: Simplify your goals and messages. Training is not about making end-users InfoSec experts. It's about sharing just enough information to foster some key behaviors. In other words, if you are training them about buffer overflows flaws, you're doing it wrong. Instead, you should be training them about how to recognize phishing emails or how to interact with unsolicited attachments. In the end, you want them to know enough about the potential problem that they will adopt the right behavior.

Tip No. 3: Don't spout acronyms without explanation. In short, don't speak in the same shorthand you use with peers. Even if you think a term or acronym is well recognized, spend the extra minute to explain it.

Tip No. 4: Examples, anecdotes, metaphors. When you are teaching security awareness, find a way to ground the subject with real examples. For my training presentation, I'm known for throwing in some sort of actual attack or "hacking" demo. You may not have the time or resources for a full demo, but you can at least share sample phishing emails, or tell stories about actual malware or attacks.

Tip No. 5: Make learning fun and interactive. There are many way to make training fun. For example, break the group into teams, give them some email samples and award a prize to the team that identifies the most potentially malicious emails. I know security is a serious subject, but if you get the group interacting and laughing, they'll be more open to the serious advice you give them.

Tip No. 6: Creating a security culture takes time. Finally, don't expect complete change overnight. Everyone wants an easy fix. Thinking you can give one presentation that will eliminate users from ever clicking on a phishing email link is not a realistic expectation. With new employees, and changes in the threat landscape, you will have to redo and update trainings a few times a year.

In my opinion, end-user security training is worth it, despite what some naysayers might claim. There's even data to support that it works. However, not all training is created equal. If we are inclusive and show passion in what we share, I think you'll find the average end-user can be converted into a resilient InfoSec neophyte, making your job a bit easier.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/16/2014 | 4:11:50 PM
Re: Excellent Review
It's great that you have such a positive -- and long-term view -- of the issues. It sounds like you are up to the challenge. Thanks for sharing.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.