“Leadership is the art of getting someone else to do something you want done because he wants to do it.”
-Dwight D. Eisenhower
There are very few things that will get me upset. We are not talking about mildly irritated. We are talking about where my blood pressure rises so high that I literally have to force myself to calm down. One of those few things is when I see someone in the Security Community write or say that because Security Awareness Training is not working we should just get rid of it completely. For those of you that watched my DerbyCon talk, you know that I’m about to go Super Saiyan.
I was enjoying a nice taco lunch with someone else in this industry today when he told me that Bruce Schneier has just posted that he believed “that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” I was chewing on some lettuce and I literally got choked up as the lettuce went into my sinuses. In fact, I am still coughing up that lettuce right now.
If there is one thing that is being said about Security Awareness Training that is fundamentally wrong it is “that because it’s not working we should give up on it”.
Bruce makes some points in his article. He likens the security awareness training to similar efforts to train the public en masse. Bruce makes the following claim “We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons.” I guess I wouldn’t have any issues with that claim if everyone I saw and knew were horribly obese and listless. I believe that having the education of knowing how to take care of yourself is important and one that a majority of people agree and adhere with. I’m not a body builder, but I’m certainly not in the ‘people’ category that Bruce defines here.
Bruce continues with “Good practices might protect me from a theoretical attack at some time in the future, but they’re a lot bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it’s much easier to just click “OK” and start chatting with your friends. In short: security is never salient.” I have not seen any Facebook Awareness Education plans at local High Schools or Colleges. You can’t compare two results when the educational approaches don’t even come close to each other. You can’t say that the Facebook Privacy Awareness Campaign is failing when there isn’t one to begin with. Yes, there are blog posts that point those out like Sophos. But how many people outside of this industry are reading Sophos? I would venture to guess that probably not a large percentage of the Facebook users who simply click OK on the new Privacy settings.
I am not going to continue to dissect all of the, in my opinion, poor examples Bruce gives to support throwing Security Awareness Training out the window. Let me propose that if Security Awareness Training is failing, it’s because of the people doing the Training not the user. If you have a classroom full of students and all of them are failing their tests I believe it would be safe to say that that Teacher’s educational style is not working. It would be inane to just say that the students are stupid and to just give up on teaching them. The reason that most Security Awareness Training programs fail is because they are TRAININGS…. not Education.
I don’t care who you are, but you aren’t going to improve the User Defensive layer with a 2 hour training once a year in a conference room. I’d like to see people learn anything that way and be proficient at the topic trained. I will agree though, Security Awareness Training should DIE. We need to adopt Security Awareness Education instead. I said in my DerbyCon talk that I wasn’t trying to create a new terminology, but now I feel I have to. You can’t compare a training to education. It’s impossible.
Bruce, in response to your question and statement “To those who think that training users in security is a good idea, I want to ask: “Have you ever met an actual user?” They’re not experts, and we can’t expect them to become experts.” Yes, I have. You are right, they won’t be experts. But my Security Awareness Education has enabled them to identify things that are ‘out of the ordinary’ and during the pentest that was happening TODAY by a well known company, they identified that someone or something was attempting to mess with their system and reported it to us. Why? Because we educate our users, we don’t train them.
Don’t get me wrong, I attempted to ‘train’ our users for many years. It. Doesn’t. Work. That didn’t mean that I threw my hands up in the air and just decided to buy more blinky boxes. It meant that I needed to change. My users were not going to do anything different. It’s up to the leaders in this industry to realize that they are the ones that need to change if they hope to solicit any change from the users we hope to protect. It’s worked for me here.
Finally, to your statement of “If we security engineers do our job right, users will get their awareness training informally and organically, from their colleagues and friends. People will learn the correct folk models of security, and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. ” I say rubbish. If the users don’t buy into what you are trying to do, no amount of ‘doing things right’ will just rub off on the users. They have to want to do the right things. The only way that happens is when they feel as though the security people doing the education actually care about them and not treat them like they are completely inept.
If we want to see change in the user security defensive layer, we need to start the change with ourselves first. Only then will we hope to be in a position to champion others to change as well. The thought of throwing away security awareness education because the people aren’t trained correctly is inane. I say we throw away the training style and try a new approach that the users actually get excited about.
Don’t just take my word on it, read another post on this topic by Dave Kennedy.