Below are the slides, my argument and some photographs from the debate session at RSA that I was involved in alongside Acumin, Christian Toon, Geordie Stewart, Kai Roer, Rowenna Fielding and Javvad Malik. Obviously by posting it here I am only presenting one side of the argument, but if nothing else I hope to at least stir up the conversation as in reality there is no clear cut answer on this topic. The text itself was my first draft notes and attempt to build an argument; I presented it from memory on the day, so it is obviously not an exact duplicate. I felt I was in a challenging position of not only opening up the argument, but also had no one to put a rebuttal against… at least that is my excuse!
I would very much welcome your thoughts on this somewhat hot topic as well as hear about how you do things differently to ensure the effectiveness of your training programmes.
Being asked to open a debate of this nature is probably challenging enough, but having to tell people that their information security awareness programs don’t work is a bit like telling them that they have an ugly baby; however much it may be true it is not something you can get away with saying very often before someone takes offence… or you get asked to justify yourself in a large public forum.
My colleagues will be presenting their cases far more eruditely than I am about to do so, and given what I suspect the prevailing attitudes in this room are I would therefore ask that you keep an open mind, and ask yourself the awkward questions that our arguments will pose. My arguments stem from the perspective of a poacher turned gamekeeper, so I can confidently vouch for their truthfulness from observations on both sides of the table.
So why am I against information security awareness training? Well, I think the actual term itself is outmoded, and the mechanism by which it is delivered more so. I strongly believe there are three key behaviours that stop the effectiveness of security awareness in its tracks.
Ethics training, anti bribery training, how to submit expenses training, how to work the training system training and goodness knows how many other trainings, and all of these have to be done every year, and more often than not within the same few months during “compliance season”. Is it any surprise that the CBT’s are completed whilst listening to iPod’s, that the “time per slide” statistic is never more than a few seconds and that when it comes to the obligatory questions at the end the cheat sheets get handed out amongst people. People simply can’t take any more!
Do your reported security incidents really go up after your training? Because they should as people become more aware of theirs and others security practices. Or do you still continue to see the same number of malware breakouts, lost USB sticks and laptops “left on the train”, all of the stuff that was happening before. Take a closer look, and see what you can find.
And with all of this training going on, it would take a full time job to remember it all, let alone trying to retain it in conjunction with their day job. Any kind of training that is carried out needs to be reinforced through regular practice of what has been learnt. But how often do people consciously “practice” their security skills? How often do you hear at the water cooler “I stopped a virus today!”?
Even when this training is put into supposedly professional training packages aimed at companies, they bizarrely even admit that they are not going to be fully successful; in a previous talk I referenced a company that proudly declared that their course would reduce phishing click throughs by 75%. Their course, by their own admittance is ineffective in 25% of cases.
The information security industry has a habit of streaming facts, rules, laws and requirements at people, throwing questions at them and then expecting them to put into their daily work lives. If they are lucky they might get the odd article or even get talked at by someone from IT Security rather wishing they were somewhere else. The marketing and advertising industries clocked onto this years ago, and produce smart, impactful and “sticky” bite sized pieces of information., why haven’t we?
Around, Through and Under
So we now have a picture of people tired of taking yet another training, can barely remember what the training was about anyway, but are also continually under pressure to get their day job done on time and on budget. With these pressures, people are going to be doing whatever it takes to get the job done.
Transferring a large data file to a client at 10 o’clock at night and the IT department have gone home? USB stick or drop box. Having to deal with hundreds of emails day in and day out? Snow blindness to clever phishing emails. Constantly changing workforce due to rapid growth (or contraction)? Let them in, they need to get their job done just like me. Printers constantly going offline because of under investment? Just keep sending that confidential print job to a different printer until it works, someone else can clear up the spare prints.
Unless their environment is stable, and helps control their actions, or asks them the questions they need to be asked to make an informed decision, people will do whatever it takes to get their job done; the consequences can, and will, be dealt with tomorrow.
Until such a time as companies and the security training industry cotton onto this, all your thousands of pounds, dollars or rubles spent on training courses will buy you one thing and one thing only, a tick in the box of your compliance checklist. Is that enough for you, or do you want more
(Photos courtesy of David Turner)
Having arrived at the Hilton Metropole on Monday lunchtime and finally left the hotel (virtually for the first time) on Friday morning, I am left with a sequence of mad, fascinating, zany, intriguing, bizarre, educational, alcoholic and downright enjoyable experiences. I knew what to expect having attended last year. In no particular order (except by which they fall out of my head) here are my high points, and occasional low points.
Meeting Wendy Nather (@451wendy) of the 451 Group at last and having lunch with her and Kai Roer (@kairoer, and a constant and welcome companion throughout the week);Dinner at The White Swan with my fellow panellists/debate team, Christian Toon(@christiantoon), Geordie Stewart, Rowenna Fielding (@InfosecGeekLady), Kai Roer, Javvad Malik (@j4vv4d), Gemma Paterson (@GemmaPats) and Chris Batten (@Acumin), and supposedly talking about our debate the next day but actually just sharing inapproriate jokes (mostly led by Chris…); The actual debate itself, not a massive attendance although not only were we up against stiff competition numbers were down somewhat anyway; meeting my first bona fide infosec journalist John Leyden (@jleyden) of The Register as well as my second, Dan Raywood (@DanRaywood) of SC Magazine; Meeting James Lyne (@jameslyne) who is not only a genius but also has the audacity to be charming, funny and an all round lovely guy, goddamm him; Watching Christian Toon bluff his way into the Media/Analysts party on Tuesday night, and watch Javvad have to do nothing to get into the IOActive party on wednesday night because everyone knows him; spending nearly an hour chatting with Javvad talking about blogging, public speaking, charlatans and heroes and being very pleasantly surprised at how much we have in common on these topics; walking out of Bruce Schneiers keynote because I found it dull and unengaging which was a real disappointment; finally making my mind up about Ira Winkler after watching his presentation; wishing I wasn’t late for Josh Corman’s (@JoshCorman) keynote, watching Hugh Johnson again, a master of working the room and engaging his audience, and marvelling at what a thoroughly lovely guy he was; spending time with Brian Honan (@BrianHonan) again and always enjoying his funny yet surprisingly modest company; Eating Schawama’s with Javvad and @sirjester, and subsequently meeting the aforementioned James Lyne and Dan Haywood; failing to win a single thing in any of the prize draws, yet still coming back with five t-shirts and a bag of booty; Watching Javvad and Emma Tweet each other whilst standing side by side; Being amazed, yet finding myself also tweeting almost every 10 minutes in synchronisation with everyone else you happen to be with – what has this world come to?; getting beered up with Chritian Toon on Tuesday and not being able to work out why I feel so drunk and he seems so fresh. The next day it turns out he is nearly 15 years younger than me! I obviously look young for my age, and he the opposite!; Spending a fascinating 90 minutes with Josh Corman on Thursday night and being impressed with how genuine, non judgemental and actually concerned he is about our industry; receiving my first ever Friday Five’s in Twitter and seeing it suddenly explode with activity as everyone joined in, for 10 minutes!; Watching Javvad being awarded his RSA Rockstar t-shirt.
There are many other people I met, chatted with and discussed topics raised in the presentations that are just too numerous to mention. If I have missed you out I apologise profusely and blame my poor memory and being inundated with great times.
The photos throughout this article barely scratch the surface of the fun and educational experience of the week, and I am already looking forward to RSA 2013 in Amsterdam next year!