Down the Rabbit Hole: Why People Question the Value of Security Awareness

In my last post, I spent a bit of time discussing the “technology vs. training” debate; and based on the feedback received, I can tell that this is a debate that many of you have had to engage in. So, let’s go a bit deeper. To help you respond to these types of arguments, I’m posting a small excerpt from Chapter 2 of my book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. This section, titled Down the Rabbit Hole, is basically the launching point for the rest of the book. It unpacks the frustration that many have with the old-school approaches to training, while also making a solid case for the need for effective training. Enjoy!

-----------------------------------Excerpt--------------------------------

When I was discussing the proposed content of this project to Jim Minatel at Wiley Publishing, he immediately said, “Oh, you are going for a true liberal arts view of security awareness.” Yes! Jim got it. And I’m hoping that you will “get it” as well because for far too long the security industry has approached awareness in an extremely one-dimensional way.

The frenetic pace and competing priorities that security professionals face daily is the biggest contributor to one-dimensional thinking and shallow approaches to security training. As you have undoubtedly seen, the negative effects of this are far-reaching. People aren’t equipped to make good security decisions. That leads to security failures. And then leaders question the validity of security awareness programs and their ability to provide a positive value. They question not only the ROI associated with the time that employees spent on the training but the value of doing training in the first place.

This leads some within the security industry to advocate the following line of thought: because security incidents still happen in organizations that previously provided security awareness training directly related to a cause leading to an incident, security awareness is of little-to-no value, and only technology will help an organization prevent security issues.

Heck, even respected security experts like Bruce Schneier have made similar comments. In a 2013 blog post, Bruce wrote, “I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.” While I have a lot of respect for Bruce, I think that his perspective here doesn’t align with reality. I also think that it doesn’t align with his broader thinking in the areas of security and technology. As an example, Bruce has a very well-known quote. . .the one that I used as an intro to Chapter 1: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

So, what does it mean when even our industry’s best and most respected thinkers have such contradictory opinions about the value and ability of security awareness training to reduce an organization’s security risk? I personally think it signals frustration with the status quo and a hope for something better. We know that current security technologies have inherent failures, allowing for users to make unintentional or intentional decisions that lead to security incidents. At the same time, despite receiving training, users still make these unintentional or intentional decisions.

As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization’s security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:

• Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)
• Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization’s defenses, targeting humans instead
• Employees who negligently or intentionally circumvent technical controls
• Employees who negligently or intentionally divert from the organization’s policies, controls, and processes
• The interdependency between policies, controls, and processes that exist in the physical world and those of the organization’s technology-based systems
• The ever-evolving ecosystem of mobile, IoT, and other new technology-based systems that your people will engage with
• The reality that digital data can easily spill into the physical world (e.g., printouts, whiteboards, conversations, and so on)

Thinking about this we can safely conclude that the human element of security will always be something that deserves intentional focus. And that’s where security awareness training comes in. But it’s time to push past the one-dimensional programs that have given security awareness training a bad name. Our goal is to change hearts, minds, beliefs, instincts, and behaviors. All of this means that we need to think broadly and incorporate practices from several disciplines that most security professionals have little experience or expertise in: topics such as marketing, public relations, communication theory, behavior design, culture management, and more.

Transformational programs break from the mundane mold that we’ve all seen for decades. That means if you decide to implement the concepts presented later in this book, you may be breaking new ground in your organization. Or, maybe you’ve started incorporating some of these practices already. If so, congratulations! My hope for you is that you’ll be further challenged and encouraged to keep going deeper.

This is the point where I get to pretend to be Morpheus from the movie The Matrix. So, here’s the challenge. My hands slowly open. In one hand, a blue pill. In the other hand, a red pill. . .

This is your last chance. After this, there is no turning back. You take the blue pill—the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill—you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember: all I’m offering is the truth. Nothing more.

--Morpheus, The Matrix

I see you're still here. Let's begin.

-----------------------------------End of Excerpt--------------------------------

I hope you enjoyed this small sample from Chapter 2 of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. I'd love to hear from you. Feel free to hit-me-up with any questions or thoughts you may have in the comments or via direct message. I do my best to respond in a timely manner.

Oh... and be sure to join the Transformational Security Awareness group on LinkedIn (https://www.dhirubhai.net/groups/12207804/). I'm planning to use that forum to pre-release and test exclusive content in the near future. Stay tuned!

Until next time.

Note: this article was originally posted in blog form at: https://blog.knowbe4.com/a-transformational-rant-why-people-question-the-value-of-security-awareness.