Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:17 PM
Ira Winkler
Ira Winkler
Connect Directly

Arguments Against Security Awareness Are Shortsighted

A counterpoint to Bruce Schneier's recent post on security awareness training for users

When I read Bruce Schneier's recent blogbasically stating security awareness is a waste of resources, I perceived a general misconception about the fundamental concepts of security awareness that are actually very critical to the discipline of awareness and security as a whole. This misconception actually highlights why many security awareness programs suck.

Bruce uses the term "security awareness training." There is a very distinct difference between "Security Awareness" and "Security Training."Security training provides users with a finite set of knowledge and usually tests for short-term comprehension. The once a year, 10-minute videos that auditors shortsightedly approve as a security awareness program is an example of such training. These are simply "Check the Box" efforts that are admittedly useless, except to waste time and develop a disdain for security in the minds of the average user.

Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.

More important is that security is about mitigating risk. There is no such thing as a perfect security countermeasure and there never will be. Every technology or security scheme will, or at least can, be bypassed. This is why security professionals advocate defense-in-depth, knowing that you cannot rely upon any single countermeasure. A security program involves a holistic program of countermeasures designed to protect, detect, and react to incidents.

The question then becomes whether security awareness is a cost-effective countermeasure that saves more money than it costs. This is admittedly difficult, because as with all security countermeasures, it is hard to measure the incidents that you prevent. Additionally, few security awareness programs take metrics. There are, however, many security awareness success stories, and I can refer you to Mitre’s site of security awareness successes.Likewise, everyone reading this article knows of many cases where an incident was avoided due to secure behaviors.

To that point, I will address Bruce’s argument that even if 4/5 of incidents are prevented, the bad guys still get in. That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.

Unless Bruce has a way to provide perfect security, organizational security programs must implement a program that acknowledges that failures will happen, and determine the most cost-effective strategies to mitigate loss through prevention, detection, and reaction. Security awareness is a critical part of that strategy for most organizations, especially the ones with the most to lose.

There are several other issues that Bruce’s arguments don’t address. He essentially argues that security is about preventing malicious parties from getting in and that once a bad actor is in, all is lost. The reality is that the greatest security related losses result from people with legitimate access. Insiders doing things maliciously, and more often innocently, create the most significant losses.Security awareness helps well-meaning insiders determine when to report a coworker who is potentially doing something maliciously. Likewise, only awareness will stop an employee from taking actions that are not malicious and allowed as a normally legitimate business purpose, but otherwise harmful.

Another issue is that Bruce's blog only addresses computer security. The arguments for technology-based solutions for user failings do nothing to stop non-computer related risks, or even risks related to practical office environments. Non-computer related losses include documents that are left unattended, improperly discarded materials, etc., cannot be stopped by better programmers.

I also have to take exception to Bruce’s statement, "'Have you ever talked to a user? They're not experts.'" That is the attitude that causes a rift between security professionals and the general population. Fundamentally demonstrating a lack of respect for users creates a divisive environment. While there are clearly exceptions, most users are well-meaning and competent when asked to take basic security precautions and provided with the proper guidance.

To the fact that the users are not experts, I have major issues with Bruce’s description of the medical profession. The average person is clearly not a medical professional, but they know how to treat basic medical conditions that are infinitely more common than a condition requiring professional attention. People know that when they have congestion, they can start treatment by taking a decongestant. They know that when they have a basic cut, they wash it and put on a bandage. They know that when they have a headache, they take a painkiller. Likewise, the average user is more than capable of taking care of the majority of security-related issues, if they are made aware of the appropriate behaviors.

I also have to take special exception with what Bruce essentially describes as the replacement for security awareness; 1) Designing systems that prevent users from making security related mistakes, 2) by enabling folk models of security.

Let's first address the "folk models of security." There is no consensus of security folk models, nor does it mean a folk model should be supported. Since Bruce uses HIV as an example, a folk model throughout Africa that having sex with a virgin will cure AIDS inhibits HIV awareness efforts. Another false folk model is Bruce's stated belief that "The Three Second Rule" is a valid food safety practice. While implementing security in a way that is commonly accepted is a valid goal, the fundamental issue is that you cannot rely on people teaching each other safe computing practices.

In the absence of security awareness, Bruce advocates that developers learn to design systems that are secure against user actions. That is delusional: Developers have yet to learn to write software that is secure against technical attacks. It is completely unrealistic to expect programmers to make software secure against all non-technical attacks as well. This is the high tech equivalent of saying that automobile companies should immediately stop spending money installing seat belts and to try to create cars that reliably drive themselves.

Software that limits the potential damage users can cause would be valuable, however you can’t reduce another element of defense-in-depth, whether it is security awareness, anti-virus software, vulnerability scanning, etc., waiting for that solution to magically arrive.

Finally, the most important issue is that security awareness is not an option for most organizations. A variety of organizations that have a lot of money and information at stake, such as the payment card industry, have conducted extensive investigations and determined that a significant portion of their losses come from human failings. While admittedly many of the resulting programs are poor, following Bruce's advice is clearly not an option.

What is needed is for security professionals to understand that the security awareness discipline requires its own knowledge, skills, and abilities. A competent, or even expert, security practitioner is not a competent security awareness practitioner by default. Organizations need to seek people out, or train people, so they can implement effective awareness programs, and realize some of the highest returns on security investments.

While I acknowledge that many security awareness programs are bad, there are many incredibly effective security awareness programs. I also acknowledge that even the best awareness programs will have their failures, just like every other security countermeasure. It is, however, absurd to hold security awareness to a standard that is higher than the standard for any other security countermeasure, especially when a good awareness program has such a comparatively low cost, and the alternative advocated amounts to a fantasy.

Ira Winkler, CISSP is President at Secure Mentem, and the author of several security books including Spies Among Us. Special to Dark Reading


Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/3/2013 | 11:37:24 AM
re: Arguments Against Security Awareness Are Shortsighted

Great question which reveals the root cause.

The root cause (and Ira has been sucked this mentality also) is that executives typically view business and security as 2 separate universes. The same CEO that constantly looks at business indicators like free cash flow doesn't even conceive of security indicators like the number of files leaked by employees this week to their Dropbox accounts.

Considering the current levels of breaches and data loss and business impact - this is an absurd view of the world.

To make security part of the business, we need to start with CEO-level commitment to security just like she's committed to the bottom line. A companyGs management controls should explicitly include security:

Soft controls: Values and behavior sensing
Direct controls: Good hiring and physical security
Indirect controls: Internal audit driving by real time monitoring

After you do that - you can graduate to enforcement. As Andy Grove once said "A little fear is not a bad thing in the workplace".

See my essay on the Psychology of data security originally written in 2004.

User Rank: Strategist
3/25/2013 | 10:40:26 PM
re: Arguments Against Security Awareness Are Shortsighted
I'm wondering what organizations that can't afford proper security awareness initiatives can realistically do in lieu of check-box training methods.

Kelly Jackson Higgins, Senior Editor, Dark Reading
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...