Bruce Schneier recently wrote a blog post about the value of security training on Dark Reading that is a bit provocative. Similar to the comments Dave Aitel made last year, Bruce asserts that money spent on education is more useful if spent elsewhere on improving security.
I both strongly agree and disagree with this position. Before you assume I am copping out of taking a stance, let me explain. It’s my experience that there are some things worth teaching and others that have little value:
Choosing a strong password – little value
Understanding that AntiVirus can’t protect against many threats – pretty valuable
And so it goes.
I’ve found that it is nearly useless to try to train people on password etiquette for a number of reasons. They don’t care; they don’t believe that it really matters; they are prompted to choose a password at a very inopportune time; they really believe that Password1 is strong. This is an area where it is far better to focus efforts on improving the technical control than spending a bunch of money on more training. Set the minimum password length to 20 characters and give everyone a password manager – oh and make sure that they can’t pick abcdefghijklmnopqrs as their password.
But in other areas, we are forced to rely on trying to hone the imperfect mind. Recognizing phishing emails and understanding that AV is not perfect are important, because we can’t enable a setting to make people safe. I suspect we all wish the world would invest in writing more secure software, and despite appearances, we are trying but the tactics for finding weaknesses grow ever more ingenious. I can’t envision a future where we have solved the problem, despite diverting all training spending on better development practices. So we are left trying to find innovative ways to get people to change their behavior, even if slightly.
I can’t count the number of times employees have expressed surprise and frustration that potentially malicious files might end up in their email inboxes. “How is it possible that a virus can get to my inbox if we are using AV?”
To me, it seems like the trick is figuring out which aspects of security to focus training on, and which can and should be addressed with technology.
On a related topic, I have been working on some security education and have been thinking about how to make it more engaging. I recently flew Delta from Atlanta to Las Vegas and noticed that the airline had remade their safety videos. I have flown hundreds of times and find those videos a bit of a bore, but I was captivated. Delta worked in some very humorous elements into the safety video – from a man using a typewriter on a tray table and needing to stow it, to a man in a neck brace unable to look behind him for the nearest exit, to a posted placard that prohibits comb-overs. I couldn’t stop watching and listening to catch the subtle humor that was being presented. On the return flight, I found that the video was mostly different, and so I needed to pay close attention again to get the new jokes. Brilliant move by Delta, in my opinion. I would love to come up with a way to do something similar in my security education programs.