A recent Twitter post by Team Cymru pointed at a (very brief) debate about the value of security awareness training. It’s an issue that has concerned me for a long time.
I got interested in security starting with research into viruses and malware. Early on, I did a lot of work reviewing the various available products. In the responses I got to my efforts, one point was abundantly clear: everyone, almost without exception, was looking for the “perfect” antivirus. Even though Fred Cohen had proven that such an animal could not possibly exist, everybody wanted something they could “set and forget.”
Notice two things. The first is that perfect security doesn’t exist. As (ISC)2‘s marketing phrase has it, security transcends technology. The second point is that people aren’t particularly keen on learning about security. They fight against it. They have to be motivated into it. And that motivation tends to be individual and personal.
Which means security awareness training is hard, and individual, and therefore expensive. Expensive means that companies are loath to try it, in any significant way. Hundreds of thousands or millions of dollars can be spent on a raft of security technologies, but security awareness programs can only get a budget of a few thousand a year. Which means they can’t be individual, which means they won’t work very well, which means companies aren’t willing to try them.
The default position people take is to resist security awareness. They don’t want to know extraneous stuff. They just want to get on with their jobs. So, even if you were to produce a really good security awareness program, there would undoubtedly still be some who would resist to the end, and not learn. They wouldn’t benefit from the program, and they would still make mistakes. So security awareness training won’t be perfect, either. Sorry about that.
However, I’ve noticed something over the years. I get asked, by all my friends and acquaintances, for advice about virus protection, and home computer protection. Some learn the ins and outs, the dangerous activities, the marks of a phishing email message. They never ask me to clean their machines. Some just ask about the “best” antiviral software. Usually after they’ve asked me to clean off a computer. I identify what they’ve got, and tell them how they got it. You shouldn’t [do music sharing|do instant messaging|go to all those weird Websites|open attachments you receive] I tell them. They always have reasons why they must do those things. (Not very good reasons, mind you, just reasons.)
You know that old medical joke about “Doctor, it hurts when I do this” “Well, do do that”? It’s not funny.
People ask me what antivirus program I use at home. Very often I don’t use one, unless I’m testing something. (At the moment I’m testing two, and I’m about ready to take both of them off, since both of them can be real nuisances at times.) There are long periods where I run without any “protection.” I know what not to do. My wife knows what not to do. (After all, she read my first book seven times over, while she was editing it.) We don’t get infected. Not even by “zero days” or “advanced persistent threats.”
Security technology isn’t perfect. Security awareness training isn’t perfect. However, at present, and for as long as I can remember, the emphasis has been on security technology. We need to give awareness more of a try.
Is security awareness “worth it”? Is security awareness “cost effective”? Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security. Three arguments in favour of at least trying security awareness spending:
1) When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.
2) Security awareness is mostly about risk management. Business management is mostly about risk management. Security awareness can give you advantages in more than just security.
3) Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.