At RSA, specious arguments against security awareness

It takes two to tango, and at least two opinions to tangle. That's why the security awareness panel held during the recent RSA conference was so frustrating: There was a remarkable lack of diversity in opinion. I attended with hopes for a proper debate, but that would require intelligent dialogue from representatives on both sides of the issue at hand.

Only one of the panelists, Hord Tipton, argued in favor of security awareness, and he did so mildly. Bruce Schneier had decided at the last minute to argue against security awareness -- a decision that may have given some people the impression that security awareness training is indefensible. Other panelists admitted that their experience with security awareness is tangential at best. Dave Aitel, whose negative opinions on security awareness are well documented, stated very early on, "I don't have experience managing a large program."

With all the panelists other than Tipton demonstrating a fundamental lack of understanding of security awareness, they perpetuated the myth that security awareness programs are ineffective and expensive. But they did worse than that. Aitel, for example, stated, "If you use security awareness as a protective layer, you're opening yourself up to malicious actors like Bradley Manning." That is just wrongheaded. In fact, Manning's co-workers reported him to superiors, as awareness recommends, but those superiors failed to act. More importantly, the Manning case demonstrated countless failures in security technology that facilitated Manning's crimes. Despite those technology failures, if those in charge had taken seriously the concerns of Manning's peers, his attack may have been thwarted.

Others made objections that seemed irrelevant. Francis Brown stated that security awareness wouldn't have stopped recent breaches that were initiated when users visited a previously benign and much-frequented site that had been compromised so that malware would be installed on visitors' computers. Brown's point seemed to be that security professionals can't make users aware that a site might be dangerous if they themselves don't know that it might be dangerous. Well, OK, I guess that's true enough. But why does he think that security awareness seeks to tell users which sites they can and cannot visit? That's an impossible task. What security awareness training can do is to teach users about things like website checkers, which can limit their vulnerability to bad sites. And no one ever said that security awareness should be the full extent of a company's security efforts. It's a supplement to the technology that we all can use to make our companies safer.

In any event, the sorts of watering-hole attacks that Brown cited are insignificant in number compared to attacks caused by human error. And human error can indeed be ameliorated with security awareness training, though it is impervious to technology fixes.

The panelists seem not to believe that users are trainable, though. For them, users are the great unwashed, and they would rather not sully themselves by associating with them. This was Brown on the topic: "It's a mistake to think that users can exercise judgment." Actually, users can exercise judgment. It's technology that's incapable of doing that.

Schneier took that hostility to users up a notch by proclaiming that those who exhibit poor security behavior should be fired. He seriously proposed that users who piggyback or use a bad password should be shown the door. If this idea were adopted, there would be a whole lot of firing going on -- especially if companies make no effort to educate those users about security. And users at all levels make these mistakes, from lowly interns to CEOs. Unless a company is prepared to fire its CEO for sharing his password with his secretary, it shouldn't be firing interns who hold the door open for another employee.

Oddly, it was "Fire Everybody" Schneier who also asked, "Do we need to train everyone to be a security expert?" ( Schneier's thoughts on security awareness are more coherently presented in this blog post than they were at the conference.) It was yet another comment that betrayed a basic misunderstanding of what security awareness training actually is. The aim is not to turn users into security experts, but to train them on the basics of security and so help them make informed decisions. Since Schneier made a point of comparing security awareness training to driver's training, I have to ask: Does driver's training try to make students professional race car drivers, or simply informed basic drivers?

I suppose that if you have an us-vs.-them attitude toward users, you can't even recognize one of the primary benefits of security awareness training: It can be an opportunity to form a connection between the security department and the user population. Security awareness puts a face on the security team and teaches users to whom to report incidents or suspicious occurrences. Too often the security department is seen as the Department of No, as Tipton pointed out, but security awareness is an opportunity to counter this. And it might also help some arrogant security professionals recognize that users aren't too stupid to make intelligent judgments.

I do believe that there was arrogance on display. Tim Wilson, the moderator, refused to allow questions from the audience, though that is the norm during RSA sessions. That decision enraged the audience, which began to yell at the panelists when denied the opportunity to speak.

Interestingly, in the end, this non-debate debate had another effect on the audience that I would not have expected. They were asked both at the beginning and the conclusion of the session whether they thought security awareness was worthwhile. The first time they were asked, a very small number of people raised their hands. The second time, after the debate, the vast majority raised their hands. Who would have expected a stacked debate to have such an outcome?

Samantha Manke is executive vice president and chief knowledge officer of Secure Mentem. She can be contacted through the website,

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMalware and Vulnerabilities

More about RSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Samantha Manke

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts