We alternately hear “people are the first line of defense” or “people are the last line of defense” in cyber security. I haven’t figured out which one is true. Regardless, we need to understand that there are limits to the effectiveness of awareness training and that our first line of defense or our last line of defense (whichever is correct) is quite fallible.
It comes as no surprise to anyone that training humans is not like defining a rule base in a firewall. We tell a firewall what network traffic to permit, and what to block based on attributes of the traffic. Similarly, we train our employees on how to identify and resist various types of attacks. Firewalls will dutifully and predictably follow the rules it was programmed with. Humans, however, are a different story.
Let’s imagine for a moment that we have developed a perfect security awareness program. It clearly communicates dos and don’ts, how to spot attacks, how to report problems, and so on, in a way that is memorable and engaging. I propose that the outcome will be significantly less than perfect, because of the following factors:
- People act irrationally under stress from things such health problems, family problems, medication, and lack of sleep
- Any given person will act upon the same set of conditions differently based on the time of day, proximity to lunch, day of the week, and many other factors that affect his or her frame of mind at the time
- People in a business setting generally have incentives that may, at least some of the time, run contrary to the recommendations of awareness training, such as project deadlines, management expectations, and so on.
This should tell us that awareness training is, at best, a coarse screen that will catch some problems, but allow many others to pass unimpeded. As such, we should focus on providing awareness education that provides the biggest value, in terms of outcomes, and then focus our remaining effort on enhancing process and technical controls that are designed to provide more predictable, and repeatable security outcomes, similar to the operation of a firewall.
On a related note, I personally think it’s irresponsible to pin the safety of an organization’s systems and data on an employee recognizing that a potentially sophisticated attack. For this reason, I think it is incumbent on us to develop and implement systems that are resilient to such attacks, and allows employees to focus on their job duties.