Day 14: Understand the Limitations of Security Awareness Training

We alternately hear “people are the first line of defense” or “people are the last line of defense” in cyber security.  I haven’t figured out which one is true.  Regardless, we need to understand that there are limits to the effectiveness of awareness training and that our first line of defense or our last line of defense (whichever is correct) is quite fallible.

It comes as no surprise to anyone that training humans is not like defining a rule base in a firewall.  We tell a firewall what network traffic to permit, and what to block based on attributes of the traffic.  Similarly, we train our employees on how to identify and resist various types of attacks.  Firewalls will dutifully and predictably follow the rules it was programmed with.  Humans, however, are a different story.

Let’s imagine for a moment that we have developed a perfect security awareness program.  It clearly communicates dos and don’ts, how to spot attacks, how to report problems, and so on, in a way that is memorable and engaging.  I propose that the outcome will be significantly less than perfect, because of the following factors:

  • People act irrationally under stress from things such health problems, family problems, medication, and lack of sleep
  • Any given person will act upon the same set of conditions differently based on the time of day, proximity to lunch, day of the week, and many other factors that affect his or her frame of mind at the time
  • People in a business setting generally have incentives that may, at least some of the time, run contrary to the recommendations of awareness training, such as project deadlines, management expectations, and so on.

This should tell us that awareness training is, at best, a coarse screen that will catch some problems, but allow many others to pass unimpeded.  As such, we should focus on providing awareness education that provides the biggest value, in terms of outcomes, and then focus our remaining effort on enhancing process and technical controls that are designed to provide more predictable, and repeatable security outcomes, similar to the operation of a firewall.

On a related note, I personally think it’s irresponsible to pin the safety of an organization’s systems and data on an employee recognizing that a potentially sophisticated attack.  For this reason, I think it is incumbent on us to develop and implement systems that are resilient to such attacks, and allows employees to focus on their job duties.

One thought on “Day 14: Understand the Limitations of Security Awareness Training”

  1. Our best line of defense is surely a well thought through, dynamic and resilient combination of the 2 lines of defense i.e. human and security controls. The thing we need to think about though is that security controls themselves are created, setup and managed by humans and therefore it will always fall back onto the shoulders of ‘humans’ to set these controls up appropriately so they work are able to be managed easily and are secure. There should be a distinction between humans and end users here I think, we are all human and therefore we all need to consistently understand where we sit within a cyber system / environment and what consequences our actions have on the overall security of said ecosystem, hence IT, Sys developers etc. are also human and therefore that logic also applies so their awareness levels also need to be appropriate and maintained and there is the crux of this problem, in that it is no longer acceptable to implement a one size fits all approach to Information Security (IS) because this has and will continue to fail. We need to look outside of the IS/IT industry and learn what tools, techniques, and methods we could and should be using in order to develop much more dynamic and effective IS awareness campaigns for example from from the marketing industry to create personas (i.e. market research) to better understand our target audience because only then can we deliver appropriate content which may resonate with the recipients to potentially create effective behavioural change that then becomes a part of security / organisational culture. Another industry we can look at is behavioural economics and choice architecture (see the nudge) which is all around us in every high street store, supermarket, airport etc. and is geared toward making us commit to a specific action i.e. purchase something but these choices (architectures) can be created and set up in such a way as to improve the decision making process of end users (humans) enabling them to make safe (default) choice actions when interacting with security controls for example. The key here is that neither the humans or security controls should be considered as a magic bullet and neither should be implemented in isolation instead a combination of both must be adhered to and managed accordingly in order for us to have any hope of creating and nurturing a successful and resilient cyber culture.

Leave a Reply