Last month, an (electronic) age old debate was rekindled by an article penned by Dave Aitel titled “Why you shouldn't train employees for security awareness”. His basic argument is that the money and time invested in Security Awareness Training is better spent elsewhere to better effect. The discussion that raged afterwards has been summarized and commented on extensively, so that I thought it is time that I also give my Gold Dollars’ worth of opinion on the topic.
What I missed in the debate, is a critical view of why Security Awareness often struggles to contribute towards a proportionate return on investment. Even lacking solid statistics, I can make a good case for why the way that security awareness training is often approached is ultimately flawed and fails in even understanding of how awareness is really formed.
It all really comes down to this – It’s the psychology, stupid!
There is an Amazonian tribe that speaks a language lacking mathematical concepts. The Piraha peoples native lingo offers “just three imprecise words for quantities: Hòi means "small size or amount," hoì, means "somewhat larger amount," and baàgiso indicates to "cause to come together, or many.” Anthropologists have found that this lack of concepts to express any precise amounts has a major impact on the Pirahas’s ability to understand numerical concepts. The findings highlight that to understand any concept, you require a cultural and linguistic framework to even be able to think and conceptualize abstract topics.
For most of us, counting is something that happens almost intuitively in many activities throughout the day. For the security professionals the same applies to security awareness. Imagine instead only being able to think “one”, “a few”, “lots”, and you may understand how many users will think and understand about security.
It is like trying to explain dry land to a fish. “Sure,” the fish will say, “There’s no water, I get it”. The moment though, that it is taken out of the water it will be too busy gasping for air to even take note of how it feels. It will never really associate anything other than displeasure with dry land and avoid it at all costs.
Our awareness is the sum of our experience with security and risk, and as such we possess the mental concepts to have an intuitive awareness for it. Most people never will. Unless you cultivate an environment where security and risk awareness is a direct requirement for the role and pervades all activities, the cost of building this sort of awareness is beyond the scope of most organizations.
Having just pointed out, that for the most part, true understanding and intuition for security is beyond the reach of most corporate and government training programs for the masses, let’s come to next best thing. Forming and changing habits.
A habit is a behavioral routine that a subject repeats subconsciously and repeatedly. The beauty of a habit is that the person possessing it does not need to even understand why they are doing what they are doing. Billions of people every day routinely do things without even thinking about it without fully knowing the reason why. It works.
Habits are also the fundamental basis of all good and bad security. The good habits, like patching regularly, frequently changing your passwords or locking your computer screen when you go and get a coffee are the things that will ensure a high measure of protection.
The bad habits, like reusing the same password everywhere, exchanging funny videos whilst at work, or circumventing the company proxy to be able to surf policy blocked sites are the habits that will ultimately all but ensure a nasty security incident in one form or another.
To complicate things a little, keep in mind though that even a good habit can be exploited, for example due to its predictability. Many an assassination victim in hindsight would have probably considered bringing some variation into his routine.
This makes it all the more puzzling why for the most part we attempt to train people in the manner that we do. Death-by-Powerpoint, a Webcast, or an instructor lead course with a touch of fun role-playing is the usual punishment inflicted on security awareness trainees. After the typical security awareness course, there is usually no further concerted effort to practically instill good habits.
We as security professionals have these habits because this is our daily bread, and we have had enough time and regular exposure to form them. In fact, this process has been so invisible that it often makes it difficult to even understand why others don’t get it.
What this boils down to though, is that your Security Training has to be so regular and cyclical that habits are formed, or that this habit formation and behavioral modification has to be continuously nurtured in the day to day environment.
Reward and Punishment
The way that nature enforces habits, is by rewarding you for good habits, and punishing you for bad ones. If you have the habit of not being too particular about what you eat, that habit will violently be removed from the Gene-pool. If you however develop a habit of not sleeping on the forest floor, you will be rewarded by not painfully being torn about by some wild animal. As above, so below.
No matter what rules, laws, or policies you set up, and regardless of what you want to get people to do, the only real factors that drive behavior are Reward and Punishment. Like almost any self-organizing system, after a short period of time, natural patterns of habit and behavior will emerge based on what people get the most pleasure, gain or pain out of.
If the potential reward (like the immediate pleasure of seeing that naked photo of Anna Kournikova) is perceived to be greater than the potential punishment (in most cases, nothing substantial), your network has a high likelihood of being the next Patient-X in a pandemic malware outbreak.
This “Immediate Reward Bias” is also one of the reasons why most people have absolutely no feeling for how risky some behavior can be. Most people only ever read about security breaches, and even if they do experience themselves directly, they either do not do so with enough frequency or with full awareness. An illustrative anecdote here is the amount of people that when discovering malware on their PC just reinstall, without any actual thought about what was done with their data and IP-Address during the time they were part of a botnet.
There is not enough perceived risk. Which is why artificial risk, in the form of disciplinary action is an instrumental component of any security policy. Every breach could have been an incident. And treating it as such will instill respect and fear in the users.
This is so underestimated and misunderstood, yet it is the simplest and most effective tool at anyone’s disposal. We use it to train children, dogs, monkeys, and even rats. Yet most leaders are only semi-proficient in applying it.
The failure of enforcing security awareness without the threat of some form of disciplinary action leads to entirely predictable results, vividly captured by a recent survey conducted by Cryptzone, which revealed that 56 percent of the respondents said “boards of directors think IT policies do not apply to them..”, and the damning result that 52 percent agree with the statement “that the board of directors have access to the most sensitive information in the organization but have the least understanding of security.”
Lower down the ranks, prevailing attitudes are, unsurprisingly, not much better, as a survey conducted by Cisco last year made clear. These are not new trends either, but can be traced back over years.
Throwing the baby out with the bathwater
I think that the discussed perceived shortcomings do not really reside with Security Awareness Training per se. The problem is that Security Awareness Training has to be done a certain way for it to be effective, taking into consideration how and why people act the way they do, and within a suitable framework and culture that provides a context for it, and not reside in a vacuum.
We really have all the knowledge and evidence that we require to create real security awareness. But Marketing seems to be the only department interested in looking at the cognitive and behavioural sciences, something many areas can benefit from.
As such, I fully agree with Dave Aitel that the manner in which most security awareness training is conducted is for the most part a complete waste of money and resources.
But I do not believing in throwing out the baby with the bathwater. If done in the right way, Security Awareness Training can provide a lot of value and benefit the security posture greatly. We see working examples in the Atomic Energy Industry, in Aviation and in the Armed forces. Almost all involved parties in WW2 did a grand job in raising awareness, if sometimes with less than honest means. But these examples have a direct obligation and duty to be safe and secure, something lacking overall, and as such provide a culture of security awareness.
Security Awareness Training is not entirely without value though. The cynical explanation is that in a worst case scenario it fulfils the obligation of employers to provide security awareness training and absolves them of blame. This obligation does not evaluate the impact on actual security awareness – it is a purely legal matter. But it does ensure that no employee can claim not to have been trained. HR is happy, future litigation has been avoided, responsibility has been delegated. But the true risk still remains.