Richard Stiennon says:
So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick. It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks. Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology.
I do not agree. Read the whole article and then come back here. I’ll wait.
I’ve been reading Michael J. Santarcangelo, II’s book Into the Breach. I was lucky enough to get a preview copy. I will be posting in more depth what I think of this wonderful book, but I do want to offer the following from the introduction:
We face a human problem where people are the the problem. The problem is that people have been unintentionally, but systematically, disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable.
I agree that technical controls are important and should be implemented where appropriate. However, I disagree that providing awareness training to our people is a waste of time and resources. It can probably be done better, but it still needs to be done. How can we, as information security professionals, expect our users to treat information with due care if they are not aware of the importance of that information and the appropriate way in which to handle it? I submit that we cannot. We must, therefore, help them understand both the nature of the information they deal with on a daily basis and the way to handle that information that ensures that it is kept secure.
That’s where I stand. I am really interested in your thoughts. What do you think about technical controls vs. awareness?
Kevin
Technorati Tags: information security awareness
Infosec Ramblings 
Nice writing. You are on my RSS reader now so I can read more from you down the road.
Allen Taylor
@ Kevin:
Good post. I’m also reading the book and haven’t yet put all my thoughts together on it. Thanks for bringing this up, it makes for a great conversation starter.
I have seen both technology and awareness solutions fail (and neither succeed). Breaches happen. The question arises is, “how much money or effort do you want to spend on X to more significantly reduce the impact of breaches?” where X is on security products/tools, awareness training, talent, etc.
Having worked at a major online auction site, I can say that awareness training failed there. Having seen it fail, my thoughts are that training/education for users will only work for kids. I think “Against the Gods” should be required reading in every high school (and/or college) Economics or Finance Math class. Maybe “Beyond Fear” should be read in some computer and psychology/sociology classes. I’m not an educator (well, at least not in that sense), so I don’t know what to say. But I know that awareness training/education for users does not work. I know that training/education for management, developers, and IT staff works to a certain point.
Jaquith’s “Security Metrics” is supposed to demonstrate the value of technology vs. awareness. Just because it didn’t work for a major online auction site, doesn’t mean that it won’t work for your organization. However, don’t put all your eggs in one basket – technology or awareness. Start small in both areas, and spend on what works.
Personally, I’m very big on talent and instructional capital (certification, training for individuals, etc) over technology/infrastructure solutions or social capital solutions. I’ve seen these work, especially if the organization has a strong focus on process and measurement.
So, my answer is that neither technology solutions, nor user awareness training works for most organizations. The best solution is to assemble the right information for the right set of talented people so that they can build processes and measure them. If you want to call that awareness training, you might want to think about calling it “Organizational Development” instead, as it’s a bit more accurate.
Of course security awareness works – for certain values of “works”. And of course security technologies work – again, defining “work” in a particular way. The clue in both cases is that we should not be anticipating either type of solution to be totally effective. 100% secure is an impossible dream for most, and maybe all, real-world situations.
A more important point is that human and technical security measures are mutually reinforcing. This is a “both-and” situation, not an “either-or”. Technical controls have to be properly specified, designed, implemented, maintained and used [by people] to be effective. Being ‘aware’ of security requirements is not sufficient unless it leads to changes of behaviour and appropriate use of security technologies where possible.
G.