Security's Everyman

Security's Everyman

Wednesday, May 02, 2007

The ineffectiveness of technology solutions

Amrit thinks that user awareness training is a waste of time and money. I think he is wrong. I think ineffective user training is a waste of time and money. I also think that if we follow his line of thinking on this that we should abolish user training and all technology designed to secure our networks. After all we spend lots of time and money on them and they still have vulnerabilities that allow the bad guys access to our systems.

I know he has been listening to lots of people gripe about "stupid users" lately and he has experienced his fair share of them in his life. I know I have and they are very frustrating. But statements like his regarding it being a waste are VERY unproductive. He said "As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible," That's all fine and good, but it's not something that we can all do. Not all of us are in positions where we can do these things, but most of us are in a position to teach someone how to be more secure. Not to mention that until the time comes that we have these "technical and procedural controls" in place we still have users who need to be trained. It's
unreasonable to think that a session (probably quiet boring) of UA training and a few emails, posters, and (more boring) documents to read will change a behavior that has been going on for years.

User Awareness training has to be relevant and interesting in order to be effective. Different people learn in different ways and to expect them to all fit into the same mold is unreasonable. We adapt spam filters and firewall rules and IDS/IPS signatures to various attack styles, why aren't we willing to adapt UA training to various learning styles?

Now all that said I do want to be fair and let Amrit finish the quote above. "
that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget." He isn't against user awareness he just doesn't like the current state of it and thinks that there are better ways to spend time and money. Fair enough. I just think that before we go off making statements like this in a public forum we need to think about them more.


Amrit said...

Although I appreciate your position I would state that I have thought about user awareness training plenty, in fact there are a slew of Gartner materials I wrote on the subject. The reality is that I cannot find any evidence that it works in a large organization, perhaps in a SMB where there is a different culture and emotional tie to the communal success, but even then I question it.

On the other hand there is lots of data, some anecdotal - others not so much, that suggests that it is, well a waste of time.

So to be clear I did not say it shouldn't be done, but it is largely ineffective today and if we do not realize that then we are fooling ourselves.

Rob Lewis said...

The problem with training is that it is not 100% effective, in all cases. It might be useful in training staff to report suspicious behavior by a co-worker, where any improvement in awareness helps. Where it fails is with things like opening email, downloading, sloppy password handling and human errors, where even one slip up can cause grief for an entire enterprise.

LonerVamp said...

That is somewhat where I come from on the technology vs training seesaw. I like training and teaching others how to be more secure in their work and lives, but I also really strongly feel that technology and process really do need to be transparent to the user and not something they have to do all that much about. I like training and do believe it has great value, but... :)

Of note, I also think some orgs are poised if not already moving back to thin client architecture, thus taking back and centralizing IT and security.

Andy, ITGuy said...

Amrit, I know that you didn't state that it shouldn't be done. That's why I made sure to add the rest of the quote. I surly don't want to misquote or come across as only telling half the story.
You do have a point about large organizations having a much harder job than SMBs in effective user training. Most of them have a hard enough time just getting it done much less making it fit particular learning styles.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.