Dave Aitel of Immunity Inc stirred up a bit of controversy (to put it incredibly mildly) a week or so ago when he write a blog post for CSO Online called “Why you shouldn’t train employees for security awareness“. His post can be summed up as follows:
- Security training is hard.
- It’s not always effective.
- Harden your infrastructure instead.
All valid points, and if you want to read a rebuttal, you’re in luck. Here’s three, by Boris Sverdlik (@jadedsecurity) , Scot Terban(@krypt3ia) and Iftach Ian Amit (@iiamit). They’re also all rather nice people and you should follow them on Twitter.
Now, let’s address the first two points:
- Security Training is hard.
I’m not going to argue here. I was once in the position of having to write security awareness training manuals for an organization of 5000 people, the entirety of which were non-technical. It sucks. It’s hard to get people to care about these sorts of things if they aren’t pre-disposed to having a coronary attack whenever they see a suspicious log item on Splunk. It’s not easy.
Another huge issue is the massive gulf of perspective when it comes to security issues. We see a social engineer; They see someone who they can help and make have a better day. We see an essential security update; They see an inconvenience which will disrupt their workflow. We see a laughably insecure password; They see one that’s easy to remember. Until we address this massive dissonance in perspective, we’re not going to get anywhere.
In the 90′s, Will Smith was always banging on about how parents don’t understand. Well, in security, it’s like that, except with everyone else. Scary, isn’t it?
However, with that said, there’s something we can do about it… Read on for more information.
- It’s not always effective.
I’m not sure if I agree or disagree here. I honestly think it depends on the quality of the training material and who gives the training. I’ve seen some pretty terrible security training before. Trainers who chose to scare, rather than educate*. I’ve seen people leave seminars and training sessions scared of security breaches, but with no palpable tools or methodologies to prevent attacks. That is insanity. It’s also counter productive.
It’s also useful to remember that your training is only going to be as effective as it is fit for purpose. If your material is dry, boring and not relevant, people are going to immediately forget it. It won’t sink in, and people will continue using insecure practices.
That said, if your security training rocks, then yeah. I imagine it’ll be pretty effective. Barclays Bank have some great security awareness manuals where they try to teach people about infosec concepts through poetry, short stories, comedy and art. Now, isn’t that actually awesome? Seriously. It’s called ‘Consequences’ and you can read about it here. I have a copy, and I can vouch for how awesome it is.
So, here’s a question for you? How can we make security training engaging, entertaining and effective? How can we make it so that it sinks in, and we don’t have to get our message across by clumsily relying on fear.
In recent years, we’ve had this revolution in how we teach. We’re no longer confined to the old paradigms, which was limited to dull, drab textbooks which had to be memorized. We now know that there are better ways. We now know that people learn best vicariously through storytelling**. We now know that gamification is a great way to teach, and ensure that people remain motivated and committed to learning. Gamification has been used by companies like DuoLingo and CodeAcademy to teach languages and software development. And you know what? It works.
So, why on earth aren’t we utilizing these techniques in all our training material? It makes absolutely no sense. So, let’s fix that.
I want to create a training manual that is entertaining. That is accessible. That is effective. That can be translated into any language and be deployed into any environment. And I want you to help me make it.
I’ve created a github project. It’s a clean slate. There’s nothing there. You have absolute creativity. Want to write a short allegory about password security? Go nuts. Want to write a poem about flash drive encryption? Do it! Want to make a comic about social engineering? Sure! The aim is to have something that once completed can be compiled and shared freely, and deployed within organizations at no cost to them.
Got a question? Email me. Or tweet me. I’m not fussy.
* Incidentally, the clown I’m referring to described ‘PHP’ as a hacker tool used to steal personal information. I’m not even kidding.
** Want proof? Read the first chapter of Harry Potter. What’s the road that the Dursleys live on? What’s their son called? Who does Mr Dursley work for? I bet you got at least two of these right. Likewise, try reading the first chapter of the PostgreSQL reference manual. How much do you remember? Exactly.