Does Security Awareness Training Work?

17 02 2012

We have long been conditioned to believe that security awareness training is not just encouraged by the standard bearers in our field, but that it is required, if we’re ever to achieve the vaunted goal of confidentiality, integrity, and availability. Indeed, an entity no less influential than the National Institute of Standards and Technology (NIST) declares that a strong IT security program cannot exist “without significant attention given to training IT users” [1]. Bruce Schneier, another luminary in the field of information security, argues that because computers are hard to maintain, training the user community is the only way to combat their inherent lack of security [2].

But does security awareness training really work? Is there a real, quantifiable difference in security at the user level for groups that have been trained on the dangers of phishing, social engineering, malware, or any of the other types of potential attacks? The studies completed so far have produced largely varied results. At our own Carnegie Mellon University, a study with a small sample size produced positive results — test subjects who received visual training that included a sample attack were exponentially better at identifying a test phishing message than those who had not received any training at all. By contrast, in another study an unnamed military academy provided all of their students with classroom-based awareness training, only to see 80% of them click on a link in a fake spear phishing attempt [3].

Based on the ambiguity of these results, there is a growing voice in the information security community that argues against the value of security awareness training altogether. One such camp believes that, since it only takes one careless user to compromise a network, any money spent on information security awareness training is money wasted.  Others believe that training may have some value, but not at the expense of more tangible security controls that produce real, quantifiable results. This point of view has existed since as far back as 2002, when The Gartner Group, a collection of researchers, concluded that information security dollars were better used for the purchase of hardware and software security applications designed to harden network and workstation security [4].

However, recent data suggests that in practice this security approach can backfire if used on its own. A 2011 survey of 649 Canadian organizations showed that those who banned social media at work suffered more security incidents than those who didn’t [5]. This indicates that more stringent security controls do not always mean that your data is more secure, at least in the age of social media. Users at these companies likely used non-trusted sites or personally-owned devices to circumvent the ban. In this case, user education on the perils of using those non-trusted sites (or on the misuse of company time and the browser monitoring capabilities of the IT department) may have been more effective than an outright ban. So, beefed up security controls don’t always trump security awareness training after all.

            Lance Spitzner, a SANS instructor who writes for their Securing The Human blog, argues that security awareness training only fails if it’s “boring, condescending, and outdated” [6]. Granted, he has a product to sell (SANS’ excellent Securing The Human training package), but he’s not totally off base. A truly balanced information security program includes both technical controls and user awareness training. The truth probably lies somewhere more in the middle. Some form of security awareness training for your user base is a good idea, and although the results will be hard to quantify, it will do more good than harm for your security efforts as long as you keep your users engaged.

_____________________

[1] Hash, J., & Wilson, M. (2003). NIST SP 800-50: Building an Information Technology Security Awareness and Training Program. NIST. Retrieved on February 7, 2012 from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

[2] Schneier, B. (Unknown). Face-Off: Schneier, Ranum debate security awareness training. Searchsecurity.com. Retrieved on February 7, 2012 from http://searchsecurity.techtarget.com/magazineContent/Face-Off-Schneier-Ranum-debate-security-awareness-training

[3] Dekay, S. (2008). Does Security Awareness Work? Some Answers from Experimental Research. Bloginfosec.com. Retrieved on February 1, 2012 from http://www.bloginfosec.com/2008/04/03/does-security-awareness-work-some-answers-from-experimental-research/

[4] Cokenour, M. (2003). The Value of Security Awareness Training in Relation to Asset Expenditures on Commercial Security Products. SANS. Retrieved on February 4, 2012 from   http://www.giac.org/paper/gsec/3350/security-awareness-training-relation-asset-expenditures-commercial-security-p/105518

[5] Hinson, G. (2011). Applying Newton’s third law to information security. (ISC)2 Blog. Retrieved on February 4, 2012 from http://blog.isc2.org/isc2_blog/2011/11/applying-newtons-third-law-to-information-security.html

[6] Spitzner, L. (2012). Top 3 Reasons Security Awareness Training Fails. Securing The Human. Retrieved on February 15, 2012 from http://www.securingthehuman.org/blog/2012/02/15/top-3-reasons-security-awareness-training-fails

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: