Crypto guru: Don't blame users, get coders security training instead

Murdoch's infosec man adds 'arrogant' techies also 'vulnerable'

Protecting against web application threats using SSL

Infosec 2013 Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time.

American crypto guru Bruce Schneier says the fact that "we still have trouble teaching people to wash their hands" means the dosh splurged on staff training is likely better spent teaching developers to make more effective prevention tools.

The chief infosec officer at Rupert Murdoch's News International, on the other hand, says a combination of training, "soft skills" and security kit can help organisations protect themselves.

Whether it makes sense to invest in training enterprise users to avoid security pratfalls has been a recurring topic at security recent conferences, such as RSA USA. Schneier, for one, reckons that "training users in security is generally a waste of time, and that the money can be spent better elsewhere", such as security design.

'Computer security is an abstract benefit that gets in the way of enjoying the internet'

Schneier draws an analogy between security awareness training and health education advice.

"We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever," Schneier writes in a wonderfully entertaining blog post.

"And people are forever ignoring the lessons. One basic reason is psychological: we just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now."

"Similarly, computer security is an abstract benefit that gets in the way of enjoying the internet. Good practices might protect me from a theoretical attack at some time in the future, but they're a lot of bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: security is never salient."

Schneier expands his ideas by looking at areas where awareness training or education initiatives work (driving, HIV prevention) and where they fail (training the general public to wash their hands, make drug decisions at a pharmacy, food safety).

He summarises the obstacles in the path of effective security training. "The threats change constantly, the likelihood of failure is low, and there is enough complexity that it's hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.

"We should stop trying to teach expertise, and pick a few simple metaphors of security and train people to make decisions using those metaphors," Schneier concludes, adding that another problem is that "computer security is often only as strong as the weakest link".

"We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones."

Security awareness education isn't so much a waste of time as misdirected, according to Schneier. "We should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system," Schneier concludes.

NI security chief: 'Techies tend to be more arrogant, perhaps more vulnerable...'

But Amar Singh, CISO of publisher News International and chair of the London Chapter ISACA Security Group, disagreed with Schneier's assessment, describing security awareness training as a process of finding the "right balance between technology and people".

"You can't just say don't open PDFs. Users must have ability to report spear phishing - and inform technical staff. I make the point of being known by people and not living in an ivory tower," Singh said.

Conventional wisdom might suggest that the less able in any organisation are most in need in security awareness truing. However Singh said that the problem often lies elsewhere. "Techies tend to be more arrogant, and perhaps more vulnerable as a result," he told El Reg.

"Security preparedness is a mixture of soft skills mixed with technical tools," Singh concluded.

One of the firms providing technical tools in the area, PhishMe, will be talking about how what organisations can do to train their staff on how to recognise phishing scams and how to prevent them more generally at this year's Infosecurity Europe show. PhishMe a provider of phishing awareness training is demonstrating its PhishMe Spear Phishing Simulator and its chief exec is making a presentation entitled Make your employees Mal-AWARE: How to implement a scalable behaviour modification program.

PhishMe’s chief executive officer and founder, Rohyt Belani, has been on the opposing side with Schneir and others during recent industry debates about security awareness training, something it prefers to refer as a "behaviour modification programme".

Belani believes that educating staff on cyber security helps minimise the risk of employees falling victim to an attack. Office workers are receiving as many as 10 phishing emails every day. PhishMe throws simulated attacks at enterprise workers, providing a short (less than five minutes training video or clip) while recording metrics of the results of the exercise.

The bad grammar, mass mailed messages and random attacks that characterised phishing up to a few years ago have been replaced by far more plausible targeted attacks, sometimes put together after research and reconnaissance. "Training can limit damage if attacks occur," Belani explained.

With six simulations the number of workers falling for phishing attacks, such as opening dodgy links, can be reduced down to 7 per cent. Further training sessions (which are not disciplinary in nature) can reduce this figure down to 3 per cent. "Behaviour modification training is not full proof but it offers an effective risk management approach," he concluded. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.