Update (3/20/2013): Social-Engineer.org talks about this topic as well. Check it out here.

“Leadership is the art of getting someone else to do something you want done because he wants to do it.”
-Dwight D. Eisenhower

There are very few things that will get me upset. We are not talking about mildly irritated. We are talking about where my blood pressure rises so high that I literally have to force myself to calm down. One of those few things is when I see someone in the Security Community write or say that because Security Awareness Training is not working we should just get rid of it completely. For those of you that watched my DerbyCon talk, you know that I’m about to go Super Saiyan.

I was enjoying a nice taco lunch with someone else in this industry today when he told me that Bruce Schneier has just posted that he believed “that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” I was chewing on some lettuce and I literally got choked up as the lettuce went into my sinuses. In fact, I am still coughing up that lettuce right now.

If there is one thing that is being said about Security Awareness Training that is fundamentally wrong it is “that because it’s not working we should give up on it”.

Bruce makes some points in his article. He likens the security awareness training to similar efforts to train the public en masse. Bruce makes the following claim “We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons.” I guess I wouldn’t have any issues with that claim if everyone I saw and knew were horribly obese and listless. I believe that having the education of knowing how to take care of yourself is important and one that a majority of people agree and adhere with. I’m not a body builder, but I’m certainly not in the ‘people’ category that Bruce defines here.

Bruce continues with “Good practices might protect me from a theoretical attack at some time in the future, but they’re a lot bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it’s much easier to just click “OK” and start chatting with your friends. In short: security is never salient.” I have not seen any Facebook Awareness Education plans at local High Schools or Colleges. You can’t compare two results when the educational approaches don’t even come close to each other. You can’t say that the Facebook Privacy Awareness Campaign is failing when there isn’t one to begin with. Yes, there are blog posts that point those out like Sophos. But how many people outside of this industry are reading Sophos? I would venture to guess that probably not a large percentage of the Facebook users who simply click OK on the new Privacy settings.

I am not going to continue to dissect all of the, in my opinion, poor examples Bruce gives to support throwing Security Awareness Training out the window. Let me propose that if Security Awareness Training is failing, it’s because of the people doing the Training not the user. If you have a classroom full of students and all of them are failing their tests I believe it would be safe to say that that Teacher’s educational style is not working. It would be inane to just say that the students are stupid and to just give up on teaching them. The reason that most Security Awareness Training programs fail is because they are TRAININGS…. not Education.

I don’t care who you are, but you aren’t going to improve the User Defensive layer with a 2 hour training once a year in a conference room. I’d like to see people learn anything that way and be proficient at the topic trained. I will agree though, Security Awareness Training should DIE. We need to adopt Security Awareness Education instead. I said in my DerbyCon talk that I wasn’t trying to create a new terminology, but now I feel I have to. You can’t compare a training to education. It’s impossible.

Bruce, in response to your question and statement “To those who think that training users in security is a good idea, I want to ask: “Have you ever met an actual user?” They’re not experts, and we can’t expect them to become experts.” Yes, I have. You are right, they won’t be experts. But my Security Awareness Education has enabled them to identify things that are ‘out of the ordinary’ and during the pentest that was happening TODAY by a well known company, they identified that someone or something was attempting to mess with their system and reported it to us. Why? Because we educate our users, we don’t train them.

Don’t get me wrong, I attempted to ‘train’ our users for many years. It. Doesn’t. Work. That didn’t mean that I threw my hands up in the air and just decided to buy more blinky boxes. It meant that I needed to change. My users were not going to do anything different. It’s up to the leaders in this industry to realize that they are the ones that need to change if they hope to solicit any change from the users we hope to protect. It’s worked for me here.

Finally, to your statement of “If we security engineers do our job right, users will get their awareness training informally and organically, from their colleagues and friends. People will learn the correct folk models of security, and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. ” I say rubbish. If the users don’t buy into what you are trying to do, no amount of ‘doing things right’ will just rub off on the users. They have to want to do the right things. The only way that happens is when they feel as though the security people doing the education actually care about them and not treat them like they are completely inept.

If we want to see change in the user security defensive layer, we need to start the change with ourselves first. Only then will we hope to be in a position to champion others to change as well. The thought of throwing away security awareness education because the people aren’t trained correctly is inane. I say we throw away the training style and try a new approach that the users actually get excited about.

Don’t just take my word on it, read another post on this topic by Dave Kennedy.

Share →

3 Responses to Security Awareness Education

  1. varmapano says:

    Very interesting. I had a similar discussion at work today, but totally unrelated to Bruce Schneier’s post. Coincidences…

    I agree more with your view and Dave Kennedy’s. However, I will not revolutionize anything with this but I prefer to pick from both sides:

    Security education is mandatory. Its effectiveness must be measured with students’ satisfaction and their increased capacity to identify and report observed suspicious activities. It must also constantly be eased by improved security engineering from developper teams who are trained not only to develop better technical security mechanisms but also to have simplified end users’ education in mind.

    @varmapano

  2. Drbearsec says:

    Well done Ben and spot on!

  3. I agree with what you wrote and I watched most of your DerbyCon talk. Nice dance moves. :)

    What I would like to add is that the folks in their 30s and older using computers today, grew up in era of no passwords required. Meaning that you can boot your TRS-80 or Apple IIe without a password prompt.

    Since passwords are most users first introduction to a layer of security and awareness, this was never psychologically ingrained into our brains until we were in college on a mainframe or office job with shared resources to get access to.

    Today’s end users are as young as 1yr old. They can’t read, count or speak, but they can flick through pics on a smartphone, or play a game designed for their age, or listen to Mickey Mouse on Pandora. But, if the passcode is enabled, they *know* that they are being prevented from entertainment. It’s security awareness, without the education. It becomes apart of their computing experience and know it’s an obstacle, while learning to respect it.

    I believe that children growing up in this digital age of data protection and security awareness will have the security education we want them to have. It will be apart of their DNA.

    As we slowly evolve away from old security techniques such as 8 character passwords, unencrypted hard drives, and single factor authentication, our children will look back at us and laugh at how primitive our current approaches are.

    “What do you mean you didn’t encrypt all of your hard drives?”

    “Why would you put a file in Dropbox without encrypting it first? That’s just st00pid!”

    Keep fighting the fight. Every day the older users get better educated because they are learning their incentives go beyond a $5 subway gift card. They are incited to protect their bank accounts from getting drained or avoiding ransomware scams holding their personal data hostage for money. As a couple examples.

    Evolution is an essential component to survive on this planet. I agree that this applies to our security leaders but *also* senior management teams.