Every once in a while, I run across articles like The Register’s “Forget security training, it’s never going to solve Layer 8 (aka people)” and I feel like I need to address this sentiment. There are a handful of misconceptions about security awareness, and this is a big one.
Dave Aitel famously presented a case in 2012 to stop offering security training in favour of diverting those resources to implementing better technical controls. Because if you can’t fix a person, you should focus your efforts to fix what you can.
You might be shocked to learn that I agree with him, but only to an extent.
I truly thank Mr. Aitel for submitting his argument, because it forces us, and our organisations, to question and quantify what we hope to achieve, and to set our expectations accordingly. Specifically, we need to adopt this expectation:
YOU CAN’T FIX PEOPLE!!
Security training and awareness education will not fix people or reduce any risk to zero. But that’s not the point. It never was.
Seeing the value of training can be difficult and murky. But you can look at the situation from a technical, quantified risk perspective, and get a rough estimate of the impact of training by calculating your ‘Prevention cost per incident’. Take the cost of the security awareness program over a period of time, and divide that by the number of reduced “Layer 8” security incidents for the same time period (you do keep metrics, right?).
PCPI = Cost(SecAware programme) / Count(prevented “Layer 8” security incidents)
That’s your ‘Prevention Cost Per Incident’.
So, if you spent $20,000 to implement phishing training for the year, and the number of phishing incidents reduced by 200 this year over last, then your prevention cost is $100 per phishing incident (as a rough estimate).
Now compare that to the average cost of a single preventable incident.
If the cost of prevention exceeds the cost of an incident, then it is the correct decision to make changes to your programme. This is true for any risk mitigation measure. For instance, if the cost to insure against damage to your car exceeds the cost of the car itself, then why insure against damage? If there is an ‘incident’ you can just buy a new car and you’d still pay less than the insurance.
But, if you look at the PCPI formula above, it doesn’t make sense to throw an entire programme out a window if prevention costs more than incidents. What you can do is to reduce the prevention costs, or increase the effectiveness of your efforts without increasing costs (both of those goals are a focus of this blog, in one way or another).
There is another, real but often overlooked, aspect to training. And that is the cultural impact.
I shudder at the imagined situation where an organisation announces that it is going to stop offering security training and start focusing all of its efforts on technical controls. What message will the people hear? What new freedoms will people assume they have? How many insider threats will be hatched in that single moment?
I do not believe that people are ‘criminals in waiting’, watching for the opportunity to do bad things. But I do believe that people are naturally on the lookout for the resources they need to accomplish their goals (good or bad). If the security cultural boundaries are dropped, what new things will well-meaning people start to attempt?
Moreover, if the organisation focuses entirely on technical controls, then people will use the details of the technical controls to define what is, and is not, acceptable behaviour. For instance, training told them not to email files out of the organisation, but due to resource constraints, technical controls allow files under a certain size. So, are people to conclude that emailing files is now ok, as long as it is under the threshold?
Training sets a bar. It sets expectations. It guides well-meaning people to secure behaviours, regardless of technical limitations.
In one company I worked for, I learned through training that they did not want people using USB drives in the laptops. They had an agent on the laptops to try to enforce this policy, but I knew that the software was completely ineffective. I asked the security team about it, and they knew about the problem but had no fix.
So, I asked:
“If I understand the situation, it is possible to plug in USB drives, but you are asking me not to do it. Do I have it right?”
That’s all I needed to know.
Technical controls can be 100% effective, if they are perfectly designed, perfectly implemented, and function perfectly 100% of the time. But security culture works even when configurations, resources, and hardware fails.
So, although I agree with questioning the expectations of an awareness programme, I disagree with those who say that it should be abandoned altogether, because:
- well-designed training costs less than the cost of an incident
- training and awareness affects culture, and culture affects security
Nothing in those two points requires training to be 100%, or even 50% effective in stopping people-based threats.
Training has a very real, measurable, and positive impact on security. I feel that those who advocate forgetting about training are frustrated that people are not as easy to deal with as technology.
Yes, people are simultaneously brilliant and dense, predictably unpredictable, and frustratingly unique.
But most importantly, an Organisation is run by people, not devices. You can secure assets by controlling technology, but you can only secure the Organisation by training people.
So, don’t let the doubters get you down. Every person who wants to forget the value of training is just another opportunity for training, and a convert-in-waiting.
photo credit: Home Depot