The Truth About Your Disastrous Security Awareness Obsession

min read

Thank you to James Perry and the University of South Carolina for allowing EDUCAUSE to republish this blog [https://www.james-perry.com/tech/2016/11/11/the-truth-about-your-disastrous-security-awareness-obsession]. —Editor

Perhaps These Security Best Practices Sound Familiar?

  • Install security patches.
  • Use good password practices.
  • Avoid suspicious e-mails and links.
  • Connect using a secure network.

If they do, chances are you've recently participated in an end user security awareness activity.

Having an Awareness Program Is Prudent, Right?

With headlines like "Why an Awareness Program Is Critical to Securing Your Organization" or "Human Error is to Blame for Most Breaches," it stands to reason that those responsible for information security would prioritize resources around establishing a security awareness program.

After all, most modern laws and regulations that deal with information security include a requirement to implement some form of security awareness activity into your risk management strategy.

SECURITY AWARENESS = DUE CARE

Everyone Does Awareness Campaigns, So They Must Be Effective!

Yes! Of course you should include security awareness as part of your overall information security strategy! Failure to do so will likely invite "friendly advice" from your favorite auditors and call into question your credibility as an infosec warrior.

Conventional wisdom aside, the question remains as to the efficacy of "securing the human" through traditional security awareness methods (i.e., death by PowerPoint, internal phishing exercises, and clever marketing campaigns).

Quantitative vs. Qualitative Data? You Decide!

According to the Verizon 2016 Data Breach Investigations Report (see pages 17-19 if you're checking sources) the following results occurred after a yearlong phishing awareness campaign:

  • 30% of phishing messages were opened by users
  • 12% went on to click on the malicious link or attachment
  • The median time for the first user to open a malicious e-mail was 100 seconds
  • The median time to click on an attachment was 225 seconds

As the report states, this "[proves] that most people are clearly more on top of their e-mail than I am." What's more disturbing is that these results were not all that different from baseline tests.

Vanderbilt University recently published a study they performed inside a company involving 1,500 users over a period of time with multiple campaigns. Eric Johnson, the lead researcher, had this to say:

"Our conclusion is that these types of training exercises, while maybe they're not completely useless, are not going to move the needle a lot."

When asked why, Johnson went on to say:

"It seems like in groups of people, particularly inside a corporate firewall, who just click on everything, training doesn't seem to slow them down one iota…We called them the 'Clickers' and it didn't matter how much training you did, these people just kept clicking...It's hard to really understand why; I think it is just human curiosity at play. It's very hard to get folks, particularly when the deception is pretty good, to really step back for thirty seconds and look at it and say, 'Is this something I should be clicking on?'"

Recognize the Problem

Despite not having a concrete theory on the root cause, Johnson may have unknowingly pointed to the answer. When asked if there are solutions to protect users, Johnson said:

"...[This] really puts the ball back into the technical court, that is, how can we protect users from ever being able to make a decision on these things either by ensuring they never receive the e-mail to begin with, warning them appropriately in the e-mail, or by catching them as they click and preventing that connection from occurring."

Another study recently published by the National Institute for Standards and Technology (NIST) found that forcing users to remember complex passwords, creating a new accounts, downloading software updates, avoiding pop-up ads, clicking here but not there (those talking points we ALWAYS emphasize in our security awareness efforts) are having an unintended consequence on our users – a phenomenon coined "security fatigue."

According to NIST researchers, the nature of security fatigue is simply requiring too much decision-making of an end user. The resulting effect is that users choose to either plunge ahead carelessly or give up altogether. In either case, the result is being more vulnerable.

As stated in the report, "The majority of computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues."

Unintended Consequences! So What Then?

Security professionals have largely forgotten the principal of end-user transparency. When server and client-side attacks were the normal avenue for compromise, organizations worked to design and implement technical solutions that were invisible to the end user. These security controls were effective at increasing the level of difficulty to successfully attack a vulnerable Apache web server or perform remote code execution through Internet Explorer. With the realization that social engineering is the new path of least resistance, hackers have updated their tactics.

Rather than adopting strategies that reflect past successes in securing our systems through strategic design and implementation of technology controls, the focus has shifted to improving the "human firewall." As noted by Eric Johnson in the above referenced Vanderbilt study:

"The idea is quite simple. Most of us are in companies where we do [some] kind of regular security training. Once a year, you've got to take the online test or you don't get your paycheck – some such thing like that. While it makes everybody feel better that we've checked the box and done it, it doesn't prove to be all that effective. Embedded training is an idea that says 'Let's try to take the training to the point of need, that is: At a point of time when a user is about ready to make a mistake or is making a mistake, can we provide some training?' Maybe they will pay a little more attention. Maybe they'll really learn from it."

In other words, while security awareness efforts are required to demonstrate due care...their limited efficacy and negative impacts provide a clear indication that security professionals must find alternatives to combat the phishing and malware attacks of today.

The NIST report offered the following advice, "The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior."

  1. Limit the number of security decisions users need to make
  2. Make it simple for users to choose the right security action
  3. Design for consistent decision making whenever possible

The good news is that the era of social engineering may soon be replaced by the avalanche of opportunity in the Internet of things (IoT) that is rolling your way.


James Perry is the chief information security officer at the University of South Carolina who likes to write [https://www.james-perry.com/tech] about tech and information security in his spare time.

Republished with permission. All rights reserved.