Crypto guru: Don’t blame users, get coders security training instead
Infosec 2013 Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time.
American crypto guru Bruce Schneier says the fact that “we still have trouble teaching people to wash their hands” means the dosh splurged on staff training is likely better spent teaching developers to make more effective prevention tools.
The chief infosec officer at Rupert Murdoch’s News International, on the other hand, says a combination of training, “soft skills” and security kit can help organisations protect themselves.
Whether it makes sense to invest in training enterprise users to avoid security pratfalls has been a recurring topic at security recent conferences, such as RSA USA. Schneier, for one, reckons that “training users in security is generally a waste of time, and that the money can be spent better elsewhere”, such as security design.
‘Computer security is an abstract benefit that gets in the way of enjoying the internet’
Schneier draws an analogy between security awareness training and health education advice.
“We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever,” Schneier writes in a wonderfully entertaining blog post.
“And people are forever ignoring the lessons. One basic reason is psychological: we just aren’t very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald’s Super Monster Meal sounds really good right now.”
“Similarly, computer security is an abstract benefit that gets in the way of enjoying the internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a lot of bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it’s much easier to just click “OK” and start chatting with your friends. In short: security is never salient.”
Schneier expands his ideas by looking at areas where awareness training or education initiatives work (driving, HIV prevention) and where they fail (training the general public to wash their hands, make drug decisions at a pharmacy, food safety).
He summarises the obstacles in the path of effective security training. “The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don’t really address the threats.
“We should stop trying to teach expertise, and pick a few simple metaphors of security and train people to make decisions using those metaphors,” Schneier concludes, adding that another problem is that “computer security is often only as strong as the weakest link”.
“We should be designing systems that won’t let users choose lousy passwords and don’t care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones.”
Security awareness education isn’t so much a waste of time as misdirected, according to Schneier. “We should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system,” Schneier concludes.
NI security chief: ‘Techies tend to be more arrogant, perhaps more vulnerable…’
But Amar Singh, CISO of publisher News International and chair of the London Chapter ISACA Security Group, disagreed with Schneier’s assessment, describing security awareness training as a process of finding the “right balance between technology and people”.
“You can’t just say don’t open PDFs. Users must have ability to report spear phishing – and inform technical staff. I make the point of being known by people and not living in an ivory tower,” Singh said.
Conventional wisdom might suggest that the less able in any organisation are most in need in security awareness truing. However Singh said that the problem often lies elsewhere. “Techies tend to be more arrogant, and perhaps more vulnerable as a result,” he told El Reg.
“Security preparedness is a mixture of soft skills mixed with technical tools,” Singh concluded.
One of the firms providing technical tools in the area, PhishMe, will be talking about how what organisations can do to train their staff on how to recognise phishing scams and how to prevent them more generally at this year’s Infosecurity Europe show. PhishMe a provider of phishing awareness training is demonstrating its PhishMe Spear Phishing Simulator and its chief exec is making a presentation entitled Make your employees Mal-AWARE: How to implement a scalable behaviour modification program.
PhishMe’s chief executive officer and founder, Rohyt Belani, has been on the opposing side with Schneir and others during recent industry debates about security awareness training, something it prefers to refer as a “behaviour modification programme”.
Belani believes that educating staff on cyber security helps minimise the risk of employees falling victim to an attack. Office workers are receiving as many as 10 phishing emails every day. PhishMe throws simulated attacks at enterprise workers, providing a short (less than five minutes training video or clip) while recording metrics of the results of the exercise.
The bad grammar, mass mailed messages and random attacks that characterised phishing up to a few years ago have been replaced by far more plausible targeted attacks, sometimes put together after research and reconnaissance. “Training can limit damage if attacks occur,” Belani explained.
With six simulations the number of workers falling for phishing attacks, such as opening dodgy links, can be reduced down to 7 per cent. Further training sessions (which are not disciplinary in nature) can reduce this figure down to 3 per cent. “Behaviour modification training is not full proof but it offers an effective risk management approach,” he concluded. ®