Security awareness can be the most cost-effective security measure

I was once called into a multinational oil company which wanted advice on a situation. One of their employees called them, because a coworker was displaying unusual behaviors. An investigation was performed, and it was learned that the coworker was giving information to a Chinese intelligence operative. At another company, an employee stopped a person from tailgating them into a facility and it turns out the tailgater was responsible for stealing more than a dozen laptops from company facilities.

While performing a penetration test at one company, the security manager told me I should take a long lunch at a very specific restaurant, and just listen to conversations. I learned of the company's marketing plans for a top product. Going to lunch at dozens of restaurants near the National Security Agency, an organization with extensive security awareness efforts, I can hear nothing of any significance.

During a firewall penetration test, a strictly technical penetration test, I received a call from a bank vice president telling me to stop my social engineering BS. I asked what the person was talking about, and was told that their people received a call asking details about the firewall, and replied that they needed the persons contact information and would get back to them, as their awareness training described, and the manager assumed that it must be part of my penetration test, which it wasn't.

It was a real attack, and they responded appropriately.

[9 dirty tricks: Social engineers' favorite pick-up lines]

I can go on, and give dozens of examples of security awareness success stories, but everyone knows of such success stories. Frankly, everyone reading this article can likely point to countless personal stories of how their behavior saved them from being a victim of some attack.

First, let's stop and consider what security is. Dave Aitel's recent column "Why you shouldn't train employees for security awareness" gives the impression that every security measure should be 100 percent effective. Aitel even reinforces that concept in a response to one of the many comments criticizing the article.

In Aitel's own his comment, he notes:

"The only thing you really know about awareness training is that no matter how much you spend on it, one time out of ten it completely fails. The one person you want to be aware is, of course, your CSO, so he can institute security measures that make awareness a non-issue."

But every security measure, technical or otherwise, has and will fail again at some point in time. If you don't realize that, you really suck as a security professional. The definition of "security" is literally "freedom from risk." You will never be free from risk in the real world. What "security" professionals are actually performing is "risk management."

Security professionals are supposed to design and implement security programs that cost effectively mitigate risk. Period. Not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner.

[Ten commandments for effective security training]

The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses. But Aitel uses a 2004 example as proof of his opinion, where after a four-hour training session - of which nobody is sure of the quality of that training - there was still a 90 percent success rate for phishing attacks.

That literally proves nothing.

Clearly awareness techniques have improved, but even so, the question posed should be: "Is what the cost savings was for the 10 percent reduction in successful attacks compared to the cost of the training program?" And this is just the tip of the weaknesses of his using this example.

The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?

Then there is the fundamental concept that the I in IT stands for INFORMATION, not computers. The acronym CISO stands for Chief INFORMATION Security Officer, not Chief Network Security Officer. Aitel's article and recommended countermeasures, in lieu of awareness training, fail to recognize that information exists off of a computer network. Using the previous mentioned quote there is no technology that will prevent the human mishandling of paper information and computer media. Yes, media can be encrypted, but the cost of trying to find loss media, even if it is eventually found, can be enormous, drain resources and result in a public embarrassment. The return on investment for a security awareness program of this form can be huge, even if it prevents a single incident.

But the biggest issue is perhaps that security awareness efforts are frequently not optional. Any good security practitioner realizes that their clients have to adhere to a variety of compliance standards, with a variety of interpretations. Awareness programs are required or implied by standards including PCI and HIPAA. Telling people not to do something, because the pontificator believes it is a bad idea is just not an option, even if the guidance is reasonable.

So just to summarize, the fundamental issues of security include but are not limited to no security measure is perfect, awareness mitigates non-technical issues that technology can't, that CISOs and other security managers are responsible for protecting information in all forms, and that in many cases awareness programs are not optional. The fact of the matter is that no security measure should be measured by the standard of perfection. The real standard is return on investment. By that standard, you will find that security awareness is one of the most reliable security measures available.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place