While awareness training is critical, vendors and practitioners continue to make ridiculous claims of its effectiveness.
This is one article I really hope people read beyond the headline. Seven years ago, I vigorously defended the value of security awareness efforts and stated that the arguments against awareness efforts were shortsighted. Seven years later, while I’m delighted that it appears that most people have come around to my way of thinking, it appears that the arguments for security awareness have become as, if not more, shortsighted. I believe this is actually dangerous and can lead to the downfall of the industry.
Ironically, I can make the same arguments to disparage the hype vendors and practitioners are making that I did to argue Schneier’s comments disparaging awareness training as a whole. Quoting from that article the most critical point:
“More important is that security is about mitigating risk. There is no such thing as a perfect security countermeasure and there never will be. Every technology or security scheme will, or at least can, be bypassed. This is why security professionals advocate defense-in-depth, knowing that you cannot rely upon any single countermeasure. A security program involves a holistic program of countermeasures designed to protect, detect and react to incidents.”
Now we have many vendors claiming they can conquer human error and create a human firewall. Many vendors and professionals tout that they want to make the users the first and last line of defense. Besides the fact that the Verizon Data Breach Investigations Report shows that on average a user will fail 4% of the time, which is more than enough as you only need one user to fail to enable an attack, it completely ignores the fact that 3% of a user population will be sociopaths and psychopaths. These people will do you harm if given the opportunity. By failing to take this statistic into account and stating you want your users to be your last line of defense is both ignorant and dangerous, because you can’t control human behavior.
As I did 7 years ago, I truly believe that awareness is an incredibly valuable tool for risk reduction. Every time a user doesn’t click on a phishing message that your software failed to filter, it is a success. Every time a user does not fall for a social engineering call, it is a success. Every time a user implements multi-factor authentication, properly secures their computer, cleans their desk, etc., it is a success.
Taking care of human error, and more importantly, the entire issue of user-initiated loss requires a comprehensive strategy of awareness, governance and technology. You cannot adequately address the overall issue of user error and malicious activity with even the best awareness. Even the best computer-based training and phishing simulations are just tools, not even a comprehensive awareness program. More importantly, even a comprehensive awareness program is not a strategy. It is just a tactic in what is hopefully a comprehensive strategy.
Again, a good awareness program can be incredibly valuable in reducing risk associated with user actions. However, and this is a big however, if any awareness professionals or vendors are portraying their awareness tools and programs as the complete solution to the problem, they might as well be providing snake oil.