David here again. Chris Hoff, in his often imitated but never duplicated way, recently reopened the massive can of worms that is security awareness training. Go ahead and read the comments on both posts — they are energizing to say the least. I’ve included a paper that I wrote for our customers below. Given the original audience, it’s on the more formal side. Let me know what you think….

Contrary to popular belief, Security Awareness Training need not be a necessary evil, but can instead be an effective method of communicating with and training employees. This research note will outline both the need for, and scope of, an effective security training program.

Few, if any, technology professionals have ever overestimated the ability of users[1]. Others claim that user security training is useless and a waste of time and money[2,3], saying that users are plenty smart but “They shouldn’t have to worry about it. This is a technology problem.” This viewpoint is all well and good as long as the scope is limited to technological issues such as viruses, spam, and phishing attacks. The problem is that the scope and scale of user education need to be much larger for effectiveness. Like any other tool, training is not the end-all and be-all of security. It needs to be used along with sound business process design[4], solid technical controls, and strong support from the senior executive team.

In an enterprise environment, user security training is not:

  1. Telling users not to open emails from people they’ve never heard of
  2. Telling users not to click on random links on web pages
  3. Telling users to patch their own systems

Trying to make users change the way they interact with their tools is very challenging, and the very nature of viruses, phishing, and the like make it very challenging for users to correctly discern the difference between legitimate and hazardous emails and websites. So these are ideal problems for solving with technology. Awareness of the threats, however, is directly useful for users, as they are often the first people to notice issues and notify the helpdesk.

Good security training focuses on broader problems that don’t lend themselves to pure technology solutions. Training can be broken down into two major categories, General and Group-Specific. General security training is appropriate for all employees regardless of their job role. Group-Specific security training focuses on particular skills that are relevant to only a portion of the company.

Examples of General Security Training include:

  1. Education on policies and procedures
  2. Fire/Tornado Drills
  3. What to do in an emergency, e.g., how to get 911 (or equivalent); how to contact on-site security
  4. Locations of First Aid kits
  5. Who to contact if you believe you have identified a security threat or risk
  6. “If you see something, say something”
  7. Not faxing/emailing organizational charts, phone lists, or other protected corporate information offsite
  8. Rules for how to handle confidential information
  9. Travel safety tips

General security training has the advantage of aligning with common-sense emergency preparedness and professional behavior. It is well-suited to mass communication channels, such as email, web-based training, newsletters and posters. Regularly reminding employees about what to do (and not to do), and how, is a cornerstone of a strong security posture. Educating users about policies and procedures is key for not only maintaining a smoothl-running operation, but is absolutely necessary from the standpoint of compliance liability mitigation. For instance, the Payment Card Industry (PCI) Data Security Standard section 12.6 specifically mandates a security awareness program[5], and although not explicitly part of either Sarbanes-Oxley or Graham-Leach-Bliley, many auditors look for awareness training programs. Regular reinforcement is particularly necessary in organizations with high turnover rates, particularly for call centers, help desks, contract or temporary staff. The need for training goes well beyond compliance requirements, however. The following examples further illustrate the importance of ensuring that everyone is aware of the appropriate information.

Users are the first line of defense in the organization and they are most effective when they know what to do. Examples 2 through 6 all focus on what to do should something unfortunate happen, whether that is a minor injury, a major disaster, or anything in between. Examples 7 and 8 are about loss of confidential information and intellectual property. One financial institution discovered through an email content scanning tool that well over 99% of the time that a customer’s PII (Personal Identifiable Information) was sent offsite there was no malicious intent. These security breaches were from unintentional or accidental causes. Not realizing that recipients of the email were not inside the company, or that the file contained PII, were by far the two most common reasons that this sort of data was leaving the company.

Example 9 is all about the safety of corporate personnel when traveling. This is particularly important if employees travel to parts of the world which are known to be dangerous. However, general travel safety tips can be useful to all staff when traveling. Basic reminders like not checking laptops, and use of safety pouches for extra cash and passports, can save both the employee and the company a great deal of money, time and heartache.

Examples of Group-Specific Training include:

  1. Disaster recovery and business continuity planning/training for operations staff
  2. Design/architecture/coding training for the development organization
  3. Fraud detection training for finance staff

Group-Specific training tends to be in-depth and should be treated like any other subject-focused training. As such, it may include dedicated classroom time or attendance at conferences to bring teams up to speed in a timely fashion.

One of the many definitions of security is the process of enabling a business to run in a risky environment. Thus a CSO needs to plan for the inevitable and the unthinkable. In a major disaster, a business continuity/recovery process can be the difference between staying in business and shutting down “for good”. In a high volume commerce or call center environment, the cost of even an hour of downtime can be extremely high. Having a plan is not sufficient. It’s essential that the appropriate staff regularly reviews the plan and also has periodic drills. These drills not only help train employees but also help identify issues and necessary changes, prior to a real incident.

Various studies have shown that fixing issues after the release of a product can cost a company hundreds of thousands of dollars, particularly in support costs[6]. However, the studies found, the cost of repairing the same issue in the architecture and design phase cost on the order of cents or dollars. Tools like the Capability Maturity Model (CMM) have allowed companies such as IBM (Who heavily leveraged CMM in the mainframe groups in the 90s) to reduce bug counts from tens of bugs per line of code to less than one per million lines of code. Similarly, risk modeling allows organizations to better identify the threats and risks that their products encounter in production environments.

Fraud can be one of the highest costs of doing business, especially for financial services and e-commerce companies. Any removal or prevention of fraud goes straight to the bottom line and improves profits. Properly training finance staff can also help detect abuse and embezzlement.

The above are examples of areas that could benefit from specific security training, and are areas where most enterprises could easily benefit. It is also worth noting that a properly implemented security awareness training program will not only provide company HR departments with necessary documentation for actions against employees and/or contractors who endanger the company by disregarding security practices, but also reduce the number of disciplinary actions. As a case in point, several years ago the U.S. Department of State found that 80% of security violations were due to lack of attention to detail or lack of awareness of policies. The department implemented an awareness program and lowered violations by 55% in just one quarter[7].

This note has highlighted that the need and scope of security training is much deeper and broader than often considered. Critics of security training who target their criticisms at poster campaigns or the annual 15-minute video and test are correct to say that such training cannot solve serious information security problems. The existence of inadequate security awareness training, however, must not be construed as “proof” that all training is unimportant. Targeting the right training to the right staff at the right time produces quantifiable improvements in the security posture of an enterprise.

1 http://techbuddha.wordpress.com/2006/10/14/patchlink-ceo-calls-bs-on-zero-days/ 2 http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm 3 http://ranum.com/security/computer_security/editorials/dumb/index.html 4 Forthcoming Echelon One paper on Secure Business Process Design 5 https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf 6 McConnell, Steve. 2004. Code Complete 2. Redmond, WA: Microsoft Press, 29-30. 7 http://blogs.csoonline.com/node/213