Are Security Awareness Programs Effective?
There’s been a lot of discussion in recent weeks about whether security awareness is effective at all. Dave Aitel and Bruce Schneier have argued that security awareness is a waste of time and money. Many people disagree.
I think Aitel and Schneier would be correct if they clarified their position to say that bad security awareness programs are not effective. Many security awareness programs involve going to an all day class, or reading a wall of text, or just watching a video. These approaches tend to be boring, not contextualized, and offer no opportunity to practice needed skills.
A good security awareness program can offer useful information and can quickly teach people basic skills for identifying and avoiding the most common attacks. In our past work, we demonstrated the effectiveness of simple and short micro games and simulated attacks in terms of training and retention of knowledge. We have since then expanded our training to passwords, managing mobile devices, safe browsing, handling personally identifiable information, PCI compliance, and more (see here for more information about our security training platform).
Furthermore, a lot of the threats organizations are facing today deal with the human element. In 2011, Microsoft’s Security Intelligence Report found that close to 45% of malware required some kind of user interaction, and another 26% propagated from USB keys. This means that if people had basic awareness and training about malware, we could avoid 71% of malware out there.
As another example, phishing attacks have repeatedly proven to be damaging, with headline news about breaches in Lockheed, Oak Ridge National Labs, Wall Street Journal, New York Times, European carbon traders, and US Government employees using GMail. One reason why phishing has become so popular is because it aims to circumvent all of an organization’s security measures by targeting the person behind the keyboard.
More and more security problems are due to the human element, and effective training of employees is an essential ingredient to defense in depth. Not having a security awareness program is a risk that just isn’t worth taking.