Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:17 PM
Ira Winkler
Ira Winkler
Connect Directly
E-Mail vvv

Arguments Against Security Awareness Are Shortsighted

A counterpoint to Bruce Schneier's recent post on security awareness training for users

When I read Bruce Schneier's recent blogbasically stating security awareness is a waste of resources, I perceived a general misconception about the fundamental concepts of security awareness that are actually very critical to the discipline of awareness and security as a whole. This misconception actually highlights why many security awareness programs suck.

Bruce uses the term "security awareness training." There is a very distinct difference between "Security Awareness" and "Security Training."Security training provides users with a finite set of knowledge and usually tests for short-term comprehension. The once a year, 10-minute videos that auditors shortsightedly approve as a security awareness program is an example of such training. These are simply "Check the Box" efforts that are admittedly useless, except to waste time and develop a disdain for security in the minds of the average user.

Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.

More important is that security is about mitigating risk. There is no such thing as a perfect security countermeasure and there never will be. Every technology or security scheme will, or at least can, be bypassed. This is why security professionals advocate defense-in-depth, knowing that you cannot rely upon any single countermeasure. A security program involves a holistic program of countermeasures designed to protect, detect, and react to incidents.

The question then becomes whether security awareness is a cost-effective countermeasure that saves more money than it costs. This is admittedly difficult, because as with all security countermeasures, it is hard to measure the incidents that you prevent. Additionally, few security awareness programs take metrics. There are, however, many security awareness success stories, and I can refer you to Mitre’s site of security awareness successes.Likewise, everyone reading this article knows of many cases where an incident was avoided due to secure behaviors.

To that point, I will address Bruce’s argument that even if 4/5 of incidents are prevented, the bad guys still get in. That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.

Unless Bruce has a way to provide perfect security, organizational security programs must implement a program that acknowledges that failures will happen, and determine the most cost-effective strategies to mitigate loss through prevention, detection, and reaction. Security awareness is a critical part of that strategy for most organizations, especially the ones with the most to lose.

There are several other issues that Bruce’s arguments don’t address. He essentially argues that security is about preventing malicious parties from getting in and that once a bad actor is in, all is lost. The reality is that the greatest security related losses result from people with legitimate access. Insiders doing things maliciously, and more often innocently, create the most significant losses.Security awareness helps well-meaning insiders determine when to report a coworker who is potentially doing something maliciously. Likewise, only awareness will stop an employee from taking actions that are not malicious and allowed as a normally legitimate business purpose, but otherwise harmful.

Another issue is that Bruce's blog only addresses computer security. The arguments for technology-based solutions for user failings do nothing to stop non-computer related risks, or even risks related to practical office environments. Non-computer related losses include documents that are left unattended, improperly discarded materials, etc., cannot be stopped by better programmers.

I also have to take exception to Bruce’s statement, "'Have you ever talked to a user? They're not experts.'" That is the attitude that causes a rift between security professionals and the general population. Fundamentally demonstrating a lack of respect for users creates a divisive environment. While there are clearly exceptions, most users are well-meaning and competent when asked to take basic security precautions and provided with the proper guidance.

To the fact that the users are not experts, I have major issues with Bruce’s description of the medical profession. The average person is clearly not a medical professional, but they know how to treat basic medical conditions that are infinitely more common than a condition requiring professional attention. People know that when they have congestion, they can start treatment by taking a decongestant. They know that when they have a basic cut, they wash it and put on a bandage. They know that when they have a headache, they take a painkiller. Likewise, the average user is more than capable of taking care of the majority of security-related issues, if they are made aware of the appropriate behaviors.

I also have to take special exception with what Bruce essentially describes as the replacement for security awareness; 1) Designing systems that prevent users from making security related mistakes, 2) by enabling folk models of security.

Let's first address the "folk models of security." There is no consensus of security folk models, nor does it mean a folk model should be supported. Since Bruce uses HIV as an example, a folk model throughout Africa that having sex with a virgin will cure AIDS inhibits HIV awareness efforts. Another false folk model is Bruce's stated belief that "The Three Second Rule" is a valid food safety practice. While implementing security in a way that is commonly accepted is a valid goal, the fundamental issue is that you cannot rely on people teaching each other safe computing practices.

In the absence of security awareness, Bruce advocates that developers learn to design systems that are secure against user actions. That is delusional: Developers have yet to learn to write software that is secure against technical attacks. It is completely unrealistic to expect programmers to make software secure against all non-technical attacks as well. This is the high tech equivalent of saying that automobile companies should immediately stop spending money installing seat belts and to try to create cars that reliably drive themselves.

Software that limits the potential damage users can cause would be valuable, however you can’t reduce another element of defense-in-depth, whether it is security awareness, anti-virus software, vulnerability scanning, etc., waiting for that solution to magically arrive.

Finally, the most important issue is that security awareness is not an option for most organizations. A variety of organizations that have a lot of money and information at stake, such as the payment card industry, have conducted extensive investigations and determined that a significant portion of their losses come from human failings. While admittedly many of the resulting programs are poor, following Bruce's advice is clearly not an option.

What is needed is for security professionals to understand that the security awareness discipline requires its own knowledge, skills, and abilities. A competent, or even expert, security practitioner is not a competent security awareness practitioner by default. Organizations need to seek people out, or train people, so they can implement effective awareness programs, and realize some of the highest returns on security investments.

While I acknowledge that many security awareness programs are bad, there are many incredibly effective security awareness programs. I also acknowledge that even the best awareness programs will have their failures, just like every other security countermeasure. It is, however, absurd to hold security awareness to a standard that is higher than the standard for any other security countermeasure, especially when a good awareness program has such a comparatively low cost, and the alternative advocated amounts to a fantasy.

Ira Winkler, CISSP is President at Secure Mentem, and the author of several security books including Spies Among Us. Special to Dark Reading


Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/3/2013 | 11:37:24 AM
re: Arguments Against Security Awareness Are Shortsighted

Great question which reveals the root cause.

The root cause (and Ira has been sucked this mentality also) is that executives typically view business and security as 2 separate universes. The same CEO that constantly looks at business indicators like free cash flow doesn't even conceive of security indicators like the number of files leaked by employees this week to their Dropbox accounts.

Considering the current levels of breaches and data loss and business impact - this is an absurd view of the world.

To make security part of the business, we need to start with CEO-level commitment to security just like she's committed to the bottom line. A companyGs management controls should explicitly include security:

Soft controls: Values and behavior sensing
Direct controls: Good hiring and physical security
Indirect controls: Internal audit driving by real time monitoring

After you do that - you can graduate to enforcement. As Andy Grove once said "A little fear is not a bad thing in the workplace".

See my essay on the Psychology of data security originally written in 2004.

User Rank: Strategist
3/25/2013 | 10:40:26 PM
re: Arguments Against Security Awareness Are Shortsighted
I'm wondering what organizations that can't afford proper security awareness initiatives can realistically do in lieu of check-box training methods.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.