Are Users Too Dumb For Security Awareness Training?

As the industry enters Cybersecurity Awareness Month, many security practioners are likely to give a little snort of derision when they think about the state of security awareness training. Even as vendors and enterprises spend millions on security education, trained users keep doing dumb things and data breach numbers keep going up. Most security pros would openly tell you that security training just doesn't work. But it doesn't have to be that way.

"Security awareness has a bad reputation, and to be honest it deserves it," says Alan Paller, director of research at the SANS Institute. "Most programs have been poorly planned or executed. "

According to Paller and a growing contingent of training advocates, it is time that the security industry takes a hard look in the mirror to understand why awareness programs are so ineffective today.

"The problem is not the users. The problem is us," says Mike Murray, managing partner for consultancy MAD Security, which recently landed a $1.2 million contract to provide security training and support to the US Coast Guard for the next four years. "The thesis that we as an industry operate on is, 'Oh well, there's no point in training the users because they're too stupid to get it anyway and it's never going to work.' That's just not true. The problem is we do it wrong."

According to Murray, the big issue is that security people think that simply making users aware of security issues will make them want to change their behavior. But awareness doesn't equal action.

"If that were true, there's not one person in America who would ever smoke a cigarette," he says. "You can't just sit users down, give them thirty minutes of information about why security is important and expect that will change how they behave on a daily basis. That can't work because that's not how people work."

In order to really resonate with users, Murray says that the security world needs to take a page from the playbook of those who have for decades worked on the art and science of changing people's behavior: marketers.

"Everybody needs to stop talking about how to make users more aware and start talking about how to modify users' behavior," he explains. "So how do marketers do it? Well, first of all, they focus on small pieces of information that can infiltrate the human mind easily. wherease with awareness training we give someone 55 different topics in 15 minutes of training and expect them to remember it and change something."

Paller concurs with Murray; organizations need to improve how they communicate and do a better job deciding what to communicate.

"Unfortunately most awareness programs are communicated by security professionals, people who by nature tend to be bad communicators," he says. "Most awareness programs overwhelm people with long monolithic training, with no thought or research into WHAT should be taught. As a result organizations are wasting time teaching people topics they do not need to know."

Additionally, Paller believes that organizations have to constantly reinforce concepts. Right now too many programs are rolled out on an ineffective annual basis.

"Just like computers, people must be patched at least every month. Awareness programs (should be on) a continuous life-cycle where employees must constantly be updated, trained and reinforced," he says. "Yet, most awareness programs are nothing more than a onetime event, and then people wonder why nothing happens."

What's more, even with fireworks and a halftime show, security training programs are still likely to fail if no consequences await users who choose not to change their behavior once they've been taught.

"If people make the same mistakes over and over then at some point or another there needs to be some sort of disciplinary action," says Hord Tipton, executive officer for (ISC)2, "particularly if there has been good due diligence and the company has made good effort to teach people the right way to do things."

The consequences don't even necessarily have to be serious. Sometimes a little public embarrassment with a dash of good humor can do the trick, says Jeff Nigriny, , CEO of CertiPath, an identity and compliance vendor. In his time as a CSO at an aerospace contractor, one of the policies he trained users on was that they needed to keep their PCs locked anytime they stepped away from them. He had a prankster's way of dealing with offenders.

"Now, I wouldn't say this would necessarily work at a larger company, but at a smaller company where the HR policies weren't as stringent, I would walk around as a security officer and if I saw someone's PC was unlocked I would sit down and send emails under their name," he says. "I tried to make them funny." If organizations do a good job with engagement, behavior change and constant reinforcement, they should experience good results in the long run. That's why security pros need to complement a good training program with a solid set of metrics to make sure its working. One of the biggest problems with awareness training programs these days is that organizations do nothing to measure before and after user performance.

"Step one is to get good measurements of user behavior before training and then the same measurements of the post-straining state to find out if you're actually getting a return on that time you spent," Murray says. He says that frequently he sees companies that tell him they don't know how many phishing attacks are succeeding before or after training. When asked if the training worked, "their answer is that 'Well, 100 percent of the people took the training. That's like measuring your kids performance in school by whether they showed up."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.