The Debate on Security Education and Awareness

This article was written by David Kennedy, Founder and Principal Security Consultant at TrustedSec

A recent blog post from Bruce Schneier (here) makes the argument that security education and awareness is the wrong approach and the time and investment should be spent somewhere else. Bruce states “I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” Bruce makes points around healthier lifestyles and eating the right foods. We continue to ignore even the simplest recommendations even though it can negatively impact how we live.

While I have deep respect for Bruce, I have to respectfully disagree with his stance on this subject. I think the article misses the entire point of a security education and awareness program and falls on a very simplistic and generalization of what the program may look like. Education and awareness can be effective if you take the complete opposite view of what Bruce views as an education and awareness program. The point of a program is not to make everyone an expert in security, but to help promote a security driven culture within the organization. The point has never been to make everyone experts in security, it has always been to arm the employees with basic knowledge so that in the event something out of the ordinary occurs, it may help notify the security team.

Our problem in security is our design to scale. We cannot scale to the size and speed of the business without significant thought, practice, and prioritization. The “security technology” that we use is not a prevention method for most hackers, so we have to rely on multiple layers of security. That includes education and awareness. I think if we go back 10 years, a traditional education and awareness program may have been a computer based training (CBT), probably one hour, probably multiple choice, and probably boring. Fast forward to a number of ongoing education and awareness programs where people are informed of the latest breaches, where security is communicated and it makes sense. This is what we call education and awareness today. The focus HAS to be on the users and basic knowledge and awareness in security. Our security initiatives will not succeed unless we have buy-off within the organization of why we are here and what we are trying to do for the company.

As a former Chief Security Officer for an international Fortune 1000 company, I cannot emphasize enough how important our education and awareness program was. It was not one of the important programs, it was THE most important program. Instead of being viewed as big brother, security was a business enhancement, a shield protecting the company. Our security initiatives made sense all the way through upper management to our employee population. We had little to no resistance in protecting the business. The users were good. Not perfect. Not experts. But they shouldn’t be. They shouldn’t know what a zero day is, or the latest and great security bypass. That’s our job. They should know the basics and ways to figure out suspicious behavior.

I would like to argue most of Bruce’s points. This isn’t from hypotheticals, this is from real world experience and securing a company with over 20,000 people and seeing it work in other companies we have the fortune to work with in consulting:

Bruce Schneier (DarkReading):

Training laypeople in pharmacology also isn’t very effective. We expect people to make all sorts of medical decisions at the drugstore, and they’re not very good at it.

Dave Kennedy – Founder of TrustedSec:

I disagree. We know that if we have a headache, we need an aspirin. We know if we hurt ourselves bad, we go to the doctor. We know where to go and the basics to survive. In Bruce’s analogy, a doctor shouldn’t tell you what’s wrong with you or how to fix it. Just operate on the person and hope that it’s the right solution and decision. Or we shouldn’t teach individuals to go to a hospital if they are hurt. Security education and awareness is the same thing, what happens when you get sick or hurt. You come to us security engineers to check it out and make sure you are healthy.

Bruce Schneier (DarkReading):

Another area where training works is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test, to be allowed to drive a car.

Dave Kennedy – Founder of TrustedSec:

In this case, I will use the exact same argument. We learn to drive our entire lives based on experience. When we first drive a car we are nervous and don’t know exactly how to behave. However with experience and practice, we learn and it becomes second nature. The same principles can be applied to information security as to driving a car. Something we are unfamiliar with security in general however if its a part of the companies culture and regularly practiced and communicated, it becomes second nature. Anyone can understand driving a car as long as its put into a simplistic term. Is everyone a mechanic and understands how the car operates inside and out? No.

Bruce Schneier (DarkReading):

The whole concept of security awareness training demonstrates how the computer industry has failed.

Dave Kennedy – Founder of TrustedSec:

I don’t believe the computer industry has failed, I think how we traditionally handle a simple online training click through course has failed. We may have failed on the right message and how we communicate to our users. An education and awareness PROGRAM is not a one hour CBT and clicking through something. It’s education and awareness just like your HR department helps you navigate to your expenses. As an employee you have a basic understanding of fundamental workings of the company. How to submit expenses, how to schedule a conference room, how to not get in trouble for sexual harassment, how to contact marketing for branding, how to follow appropriate guidelines and expectations for the company. Security is no different. Following basic principles and allowing the employees to understand the reasons why certain things are the way they are is beneficial and worth the investment.

The last comment is the one that I have the most disagreement with. From Bruce:

“If we security engineers do our job right, users will get their awareness training informally and organically, from their colleagues and friends. People will learn the correct folk models of security, and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. That makes a whole lot more sense.”

Security through osmosis is as good as security through obscurity. I would rather spend two hours out of my week working on education and awareness than configuring a NextGen firewall. I would rather spend an hour out of my week meeting with a different department and communicating security to them than installing a non managed SIEM. At the end of the day, if a breach occurs, we should have appropriate controls in place to detect and respond. If those fails, our last line of defense is our employees.

At the end of the day, an education and awareness program is one of your cheapest and highest return on investment programs that you have. Instead of buying the latest whizbang advanced persistent threat (APT) prevention, focus on your foundation, focus on your users, focus on a defensible position that scales to your business. If the program is not effective and not producing our return on investment, then we need to change the message and the communication, not pitch it out the window and spend it on hypotheticals. At the end of the day we are here to prioritize risk. I would rather have 20,000 sensors in my organization than an osmosis effect with maybe a handful of passionate folks around security.

Again, Bruce I respect you and your thoughts on issues, but coming from experience, this post couldn’t be the furthest off from helping our industry and putting us on the right track.

If we can’t make security interesting or communicate it in a way that makes it important to our employees, we have failed as leaders within a company. Communication is everything, without it, security will fail and we will fail in this industry. Train your users, educate them, and most importantly, drive security through your culture. At the end of the day, implementing technical controls as Bruce mentions is only marginally what we need to do in security and what we need to invest our time in.

Fight for the users

If you are interested in another great post here from a good friend Ben. It has additional points and further assurance of this point.