Bruce Schneier has come out saying that Security Awareness training isn’t worth the money, and I couldn’t disagree more. Specifically, Schneier has said:
I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.
Bruce’s statement and belief reflect the fallacy and overconfidence of the engineer. I saw this discussed once in a seminar on highway safety, where the highway engineers talked about how they once believed that they could eliminate traffic fatalities solely by engineering better highways and better cars. They soon learned that wasn’t enough — they they needed the four Es:
- Engineering
- Enforcement
- Education
- Emergency Response
Engineering highways — or security — is only part of the picture. You still need to have policies and enforce them. You still need to teach users to be aware of threats and to know how to response. And you need emergency response to ensure your systems are not killed by the attacks — that they are resilient and can recover.
Awareness training is a vital part of this. Yes, you can engineer away some of the problems. But you can’t get rid of them all, and you certainly need to educate about social engineering attacks.
Bruce — I’m surprised at you for this statement.
(and now it is off to the shower before I go to work….)
Dan, I agree with you. Unfortunately, much of the security awareness training that I have seen and been subjected to is not very good. And I mean not very good for the majority of staff. If the training doesn’t get internalized, then it doesn’t help much. But what I conclude is that we need better and more engaging training. I saw an article recently about a guy who took the airline emergency training that aircrews take. So now I know that the lights are dimmed so that in event of trouble and, say, smoke in the cabin, the passengers will already have their eyes adjusted. That the flight attendants will open the emergency exit doors unless they are incapacitated — exit row folks are Plan B. And so on. With context and more information, there could be more attention paid.
Agree completely. But the answer is not to discard the training and depend on the systems, as Bruce suggests… the answer is to fix the training. Training is our first line of incident response; it is our line of attack against social engineering ( did you see that excellent social engineering graphic a few weeks ago? If not, look at http://securityskeptic.typepad.com/the-security-skeptic/2013/03/visual-aid-for-raising-social-engineering-awareness.html ). Training prevents us from the “stupids” — the clicks on the emails. We should use engineering where engineering is appropriate, but it can’t do 100% of the job.