I just ran across this article in ComputerWorld by Dave Aitel, CEO of Immunity, Inc., called Why You Shouldn’t Train Employees for Security Awareness:
His credentials (former computer scientist for the NSA) are impressive, but I have to disagree with his logic on this one. His first premise is that because employees at RSA and other “technologically sophisticated” organizations can be phished, this proves that training doesn’t work.
My own more modest background as a law enforcement trainer prior to getting into IT raises a red flag here. Just because police officers, who get training in the academy on firearms tactics, sometimes get shot in a firefight, does that mean we should just give up on training them in defensive shooting? Or does it mean maybe we need to train them more?
He goes on to offer as further proof of the futility of security training that “Even after undergoing four hours of computer security training, 90 percent of cadets [in a West Point experiment] still clicked on the embedded link.” If 98 percent of them would have clicked it without training, the training still accomplished something. But more important, security training shouldn’t be a one-time four-hour deal; it should be an ongoing process to instill the security mindset and make employees think differently about how they use the computer.
Now I’ll grant you that maybe we need to train employees differently. I’m afraid in many companies, security training is being handled much like “gender sensitivity” or “diversity” training – that is, a program is slapped together or a cheap canned curriculum is used, taught by disinterested instructors, not with the real goal or expectation of changing behavior but just so the company can “cover its behind” by documenting that they provided the training. Employees compelled to attend another boring mandatory session don’t pay any attention and learn little or nothing.
But it doesn’t have to be that way. Employees can be motivated by a good and enthusiastic instructor and a well thought out lesson plan to understand their role as partners with the IT department, banning together to prevent the consequences of security breaches and attacks that ultimately impact them as well as the company. And that brings me to another statement in the article, that “a user has no responsibility over the network” – but is that true? Or is that like saying a driver has no responsibility to drive responsibility because he/she isn’t in charge of the roadways?
Aitel claims that “Fundamentally what IT professionals are saying when they ask for a training program for their users is, ‘It’s not our fault.'” Certainly IT shouldn’t dump all the responsibility onto the users, but I believe everyone who uses the network as part of his/her job duties has a responsibility to do so in a responsible manner. As the author says, tellers can’t protect the bank – but they’re certainly trained to be aware and recognize when someone might pose a threat and notify those who do have the knowledge and training to determine whether the threat is real and deal with it if it is; that’s what that little button under the counter is for.
All of his suggestions regarding what organizations should do to protect their networks are excellent, but in my opinion they should be done in addition to employee training, rather than instead of it. Why should the two be mutually exclusive?