David here again. Chris Hoff, in his often imitated but never duplicated way, recently reopened the massive can of worms that is security awareness training. Go ahead and read the comments on both posts — they are energizing to say the least. I’ve included a paper that I wrote for our customers below. Given the original audience, it’s on the more formal side. Let me know what you think….
Contrary to popular belief, Security Awareness Training need not be a necessary evil, but can instead be an effective method of communicating with and training employees. This research note will outline both the need for, and scope of, an effective security training program.
Few, if any, technology professionals have ever overestimated the ability of users[1]. Others claim that user security training is useless and a waste of time and money[2,3], saying that users are plenty smart but “They shouldn’t have to worry about it. This is a technology problem.” This viewpoint is all well and good as long as the scope is limited to technological issues such as viruses, spam, and phishing attacks. The problem is that the scope and scale of user education need to be much larger for effectiveness. Like any other tool, training is not the end-all and be-all of security. It needs to be used along with sound business process design[4], solid technical controls, and strong support from the senior executive team.
In an enterprise environment, user security training is not:
- Telling users not to open emails from people they’ve never heard of
- Telling users not to click on random links on web pages
- Telling users to patch their own systems
Trying to make users change the way they interact with their tools is very challenging, and the very nature of viruses, phishing, and the like make it very challenging for users to correctly discern the difference between legitimate and hazardous emails and websites. So these are ideal problems for solving with technology. Awareness of the threats, however, is directly useful for users, as they are often the first people to notice issues and notify the helpdesk.
Good security training focuses on broader problems that don’t lend themselves to pure technology solutions. Training can be broken down into two major categories, General and Group-Specific. General security training is appropriate for all employees regardless of their job role. Group-Specific security training focuses on particular skills that are relevant to only a portion of the company.
Examples of General Security Training include:
- Education on policies and procedures
- Fire/Tornado Drills
- What to do in an emergency, e.g., how to get 911 (or equivalent); how to contact on-site security
- Locations of First Aid kits
- Who to contact if you believe you have identified a security threat or risk
- “If you see something, say something”
- Not faxing/emailing organizational charts, phone lists, or other protected corporate information offsite
- Rules for how to handle confidential information
- Travel safety tips
General security training has the advantage of aligning with common-sense emergency preparedness and professional behavior. It is well-suited to mass communication channels, such as email, web-based training, newsletters and posters. Regularly reminding employees about what to do (and not to do), and how, is a cornerstone of a strong security posture. Educating users about policies and procedures is key for not only maintaining a smoothl-running operation, but is absolutely necessary from the standpoint of compliance liability mitigation. For instance, the Payment Card Industry (PCI) Data Security Standard section 12.6 specifically mandates a security awareness program[5], and although not explicitly part of either Sarbanes-Oxley or Graham-Leach-Bliley, many auditors look for awareness training programs. Regular reinforcement is particularly necessary in organizations with high turnover rates, particularly for call centers, help desks, contract or temporary staff. The need for training goes well beyond compliance requirements, however. The following examples further illustrate the importance of ensuring that everyone is aware of the appropriate information.
Users are the first line of defense in the organization and they are most effective when they know what to do. Examples 2 through 6 all focus on what to do should something unfortunate happen, whether that is a minor injury, a major disaster, or anything in between. Examples 7 and 8 are about loss of confidential information and intellectual property. One financial institution discovered through an email content scanning tool that well over 99% of the time that a customer’s PII (Personal Identifiable Information) was sent offsite there was no malicious intent. These security breaches were from unintentional or accidental causes. Not realizing that recipients of the email were not inside the company, or that the file contained PII, were by far the two most common reasons that this sort of data was leaving the company.
Example 9 is all about the safety of corporate personnel when traveling. This is particularly important if employees travel to parts of the world which are known to be dangerous. However, general travel safety tips can be useful to all staff when traveling. Basic reminders like not checking laptops, and use of safety pouches for extra cash and passports, can save both the employee and the company a great deal of money, time and heartache.
Examples of Group-Specific Training include:
- Disaster recovery and business continuity planning/training for operations staff
- Design/architecture/coding training for the development organization
- Fraud detection training for finance staff
Group-Specific training tends to be in-depth and should be treated like any other subject-focused training. As such, it may include dedicated classroom time or attendance at conferences to bring teams up to speed in a timely fashion.
One of the many definitions of security is the process of enabling a business to run in a risky environment. Thus a CSO needs to plan for the inevitable and the unthinkable. In a major disaster, a business continuity/recovery process can be the difference between staying in business and shutting down “for good”. In a high volume commerce or call center environment, the cost of even an hour of downtime can be extremely high. Having a plan is not sufficient. It’s essential that the appropriate staff regularly reviews the plan and also has periodic drills. These drills not only help train employees but also help identify issues and necessary changes, prior to a real incident.
Various studies have shown that fixing issues after the release of a product can cost a company hundreds of thousands of dollars, particularly in support costs[6]. However, the studies found, the cost of repairing the same issue in the architecture and design phase cost on the order of cents or dollars. Tools like the Capability Maturity Model (CMM) have allowed companies such as IBM (Who heavily leveraged CMM in the mainframe groups in the 90s) to reduce bug counts from tens of bugs per line of code to less than one per million lines of code. Similarly, risk modeling allows organizations to better identify the threats and risks that their products encounter in production environments.
Fraud can be one of the highest costs of doing business, especially for financial services and e-commerce companies. Any removal or prevention of fraud goes straight to the bottom line and improves profits. Properly training finance staff can also help detect abuse and embezzlement.
The above are examples of areas that could benefit from specific security training, and are areas where most enterprises could easily benefit. It is also worth noting that a properly implemented security awareness training program will not only provide company HR departments with necessary documentation for actions against employees and/or contractors who endanger the company by disregarding security practices, but also reduce the number of disciplinary actions. As a case in point, several years ago the U.S. Department of State found that 80% of security violations were due to lack of attention to detail or lack of awareness of policies. The department implemented an awareness program and lowered violations by 55% in just one quarter[7].
This note has highlighted that the need and scope of security training is much deeper and broader than often considered. Critics of security training who target their criticisms at poster campaigns or the annual 15-minute video and test are correct to say that such training cannot solve serious information security problems. The existence of inadequate security awareness training, however, must not be construed as “proof” that all training is unimportant. Targeting the right training to the right staff at the right time produces quantifiable improvements in the security posture of an enterprise.
1 http://techbuddha.wordpress.com/2006/10/14/patchlink-ceo-calls-bs-on-zero-days/ 2 http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm 3 http://ranum.com/security/computer_security/editorials/dumb/index.html 4 Forthcoming Echelon One paper on Secure Business Process Design 5 https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf 6 McConnell, Steve. 2004. Code Complete 2. Redmond, WA: Microsoft Press, 29-30. 7 http://blogs.csoonline.com/node/213
Reader interactions
6 Replies to “We Don’t Need No Education”
@Allen
very well put and I agree with you. It seemed that the original post was implying that because once in awhile i may come across a situation like you describe i therefore should not teach people about suspicious attachments from people they dont know, which wouldnt make much sense. its akin to saying well WEP is crackable therefore i wont use it at all.
“Rather teach them that every piece of email should be treated with caution especially those that are unexpected and those that come from “people” they don’t know.”
that’s exactly right.
-CG
In answer to CG:
The problem with teaching specifics like that is that they may not be always valid. Consider the case I had recently where a colleague had his PC taken over by some malware. The corrupted PC then sent email out to all of his contacts from him. If you teach people not to open attachments from people they don’‘t know , you are implying that they can open attachments from people that they do know. Rather teach them that every piece of email should be treated with caution especiialy those that are unexpected and those that come from “people” they don’‘t know.
They need to know the bigger picture and not just a list of rules.
Nice piece! In general, you and I think alike.
We identify three separate audience groups for our information security awareness programs:
1. General employees (everyone, including the other 2 audiences)
2. Managers
3. IT professionals.
They have different perspectives, preferred communication styles and information needs.
We also cover around 30 information security “topics”, a wider brief than your list. This works for us because we focus on a topic for a month at a time, then move along to the next. Awareness programs that mix everything up just confuse everyone with mixed messages. Focus also allows us to provide more depth, particularly for the management and IT pro streams, where appropriate. We still have an “induction module” for new employee orientation, covering a range of commonplace infosec topics at a fairly basic level.
One final point: awareness =/= training. “Awareness” is about seeding more general concepts to generate a widespread and deep-rooted security culture, whereas “training” provides more specific information and direction in narrow areas for people who are expected use the specific skills in their jobs. “Education” is different again … NIST SP800-50 explains the distinction in more detail. We see them as separate but complementary approaches.
Kind regards,
Gary Hinson
I’‘m confused. We should not cover:
1. Telling users not to open emails from people they’ve never heard of
2. Telling users not to click on random links on web pages
in our security training programs? When technology has caught up with a way to actually prevent those 2 things from happening then i could see not covering those topics. but that is obviously not the case right now. what should i do in the interim? having the users all spun up on who to call when they see something or someone suspicious but not teaching them what constitutes a suspicious action/email/person doesnt make much sense to me.
The things in your list are good especially 3, 5 & 6, but we shouldnt cover the technical piece as well? I just dont believe we cant change user’s behavior especially when it comes to being gullible on the net. it seems that the slap on the wee wee just isnt severe enough yet to warrant a behavior change.
I will concede that getting enough higher-up’s approval to make that slap on the wee wee severe enough will probably come long after we get the user problem fixed but may work in some organizations.
he uses his head for more the just showing off that fantastic mane of hair, David Mortman discusses user awareness training over on Securosis. Go read the post, I’ll
David, the one thing you touched on, but that most training critics miss, is that security training ain’‘t just for users. It’s also for system administrators, developers, and anyone else who is responsible for creating or supporting IT. It takes a different kind of training to explain to a sysadmin how to configure a system securely, versus teaching a developer about secure coding or architecting for security, and you can spend your whole career doing it. If you’‘re only doing the posters, you’‘re not doing your job.