Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Connect Directly
E-Mail vvv

Don’t Let Lousy Teachers Sink Security Awareness

You can't fix a human problem with a technology solution. Here are three reasons why user education can work and six tips on how to develop a corporate culture of security.

I strongly believe that end-user awareness training is a very important part of a defense-in-depth security strategy. While we need technological controls, controls will never catch everything -- and social engineers will always find new ways to trick users into doing things they shouldn't.

The bottom line is that you can't fix a human problem with a technology solution. You need to train a culture of security.

Unfortunately, a significant portion of the InfoSec community -- including some security gurus I respect greatly -- disagree with me on this. They believe end-user education is worthless. Their arguments are wrong and here's why:

Argument No. 1: Even if training reduces bad user behavior, a mistake from one bad egg still lets threats in. This is the most inane argument against security training I've ever heard. If you are a security professional, you understand that no security control is invulnerable.

No, training will not make your users faultless security ninjas who never make mistakes, but your technical controls don't do that either. Training will, however, lower the number of mistakes users make, which lessens the pressure down the line for your technical security controls and your incident response team.

Argument No. 2: Average people don't care about security; it's too abstract of a problem. The InfoSec problem is only abstract to the people who are uninformed about the issue. The whole point of training is to inform them. It takes time to change culture, and a shift towards better InfoSec awareness is a culture change, but training does work.

Argument No. 3: Users are just ignorant lay people who don't get it; they'd have to be experts to really understand and it's just too hard to make them experts. To me, that argument is the crux of the problem. While, admittedly, this is a gross overgeneralization, a large part of the IT community seems to trivialize the intelligence and potential of the average end-user.

If you've been in the IT profession for a while, you've probably heard terms like PEBCAK (Problem Exists Between Chair And Keyboard) and luser (a users who is also a loser), or you've heard phrases like, "You can't patch stupid," or, "It's a layer eight problem." I believe over time these sorts of jokes have slowly poisoned our community into assuming the average end-user is clueless and stupid. This couldn't be further from the truth.

It's not that IT professionals don't want to be inclusive -- and really they do share their knowledge and insight. It's just that we are so used to talking to peers using our succinct, albeit harsh, shorthand, that we forget what it was like to not understand it. This makes IT or InfoSec pros lousy teachers.

The good news is it's easy to change. You can start by following six simple tips that should help improve your security awareness training success rate.

Tip No. 1: Get users on your team. Often, corporate security training comes off as, "You need to be a good employee and protect the company, and here are all the draconian rules." Rather, you should highlight how this security training directly benefits the users themselves. For example, the same InfoSec practices that help protect your company will also help employees at home. If they realize the personal benefits of this sort of training, I think you'll find they'll be much more willing to use them at work as well.

Tip No. 2: Simplify your goals and messages. Training is not about making end-users InfoSec experts. It's about sharing just enough information to foster some key behaviors. In other words, if you are training them about buffer overflows flaws, you're doing it wrong. Instead, you should be training them about how to recognize phishing emails or how to interact with unsolicited attachments. In the end, you want them to know enough about the potential problem that they will adopt the right behavior.

Tip No. 3: Don't spout acronyms without explanation. In short, don't speak in the same shorthand you use with peers. Even if you think a term or acronym is well recognized, spend the extra minute to explain it.

Tip No. 4: Examples, anecdotes, metaphors. When you are teaching security awareness, find a way to ground the subject with real examples. For my training presentation, I'm known for throwing in some sort of actual attack or "hacking" demo. You may not have the time or resources for a full demo, but you can at least share sample phishing emails, or tell stories about actual malware or attacks.

Tip No. 5: Make learning fun and interactive. There are many way to make training fun. For example, break the group into teams, give them some email samples and award a prize to the team that identifies the most potentially malicious emails. I know security is a serious subject, but if you get the group interacting and laughing, they'll be more open to the serious advice you give them.

Tip No. 6: Creating a security culture takes time. Finally, don't expect complete change overnight. Everyone wants an easy fix. Thinking you can give one presentation that will eliminate users from ever clicking on a phishing email link is not a realistic expectation. With new employees, and changes in the threat landscape, you will have to redo and update trainings a few times a year.

In my opinion, end-user security training is worth it, despite what some naysayers might claim. There's even data to support that it works. However, not all training is created equal. If we are inclusive and show passion in what we share, I think you'll find the average end-user can be converted into a resilient InfoSec neophyte, making your job a bit easier.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
6/11/2014 | 1:18:50 PM
All excellent tips. I particularly like the reminder not to just drop acronyms. Not everyone is already familiar enough with the lingo to know what you mean, and they may not want to ask for clarification, especially in a public forum. 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.