Awareness training: How much is too much?

Security awareness training is one of the most effective ways to strengthen what is generally known as “the weakest link in the security chain.” The key is to make employees skeptical without paralyzing them with paranoia

Security experts agree that humans are the weakest link in the security chain. Virtually all of them agree that security awareness training can strengthen many of those weaknesses.

But how best to do that can generate some debate.

Lysa Myers, a security researcher at ESET, summarized in a recent post what she said was a collective message from several presentations at the recent Black Hat conference: While it is possible to train employees to be "hyper-vigilant, it can create more problems than it solves.

“It is not beneficial for the individual or for harmonious group dynamics to be in a constant state of distrust,” she wrote.

[ ALSO ON CSO: Ever been in these social engineering situations? ]

The presenters, who included Zinaida Benenson, of the IT Security Infrastructures Lab at the University of Erlangen-Nuremberg; Jelle Niemantsverdriet of Deloitte; and Judith Tabron of Hofstra University, emphasized the need for security trainers to listen to users and adapt education and security defenses to, “how people actually do their jobs.” While that would not eliminate security failures – indeed, nothing will – it would, “make it easier for people to make better security decisions more often,” Myers wrote.

Benenson, in a presentation titled, "Exploiting Curiosity and Context," reported on the results of two user studies where more than 1,600 university students received spear phishing messages from non-existent people. The percentage of those who clicked on what would have been a malicious link ranged from about a third to more than half – 56 percent.

The students’ reasons for clicking ranged from curiosity, being addressed by their first names, receiving a message that fit their lifestyle or thinking they knew the sender.

“Therefore, it should be possible to make virtually any person click on a link,” Benenson wrote in a summary of her presentation, adding that expecting, “error-free decision making under these circumstances seems to be highly unrealistic.”

Sending regular spear phishing messages to employees to test their awareness, she argued, could be counterproductive. “People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive,” she wrote.

That argument gets mixed reviews from a number of experts, although in many cases it comes down to how one defines hyper-vigilant. Nobody thinks security training should leave workers feeling paralyzed or paranoid, but given the variety, sophistication and level of threats, most say a bit of paranoia is a good thing.

[ MORE: Is your security awareness training program working? ]

Lance Spitzner, director, SANS Securing the Human, said human security requires compromise. “We need to have a certain level of suspicion in people, but how much depends on the organization,” he said, noting that the level would be different at a university than the Department of Defense.

lance spitzner

Lance Spitzner, director, SANS Securing the Human

But the bottom line on suspicion is, “not enough and bad guys get through. Too much and definitely trust and the ability to work together breaks apart,” he said.

Joseph Loomis, founder and CEO of CyberSponse, agreed that, “awareness is good but unreasonable and unrealistic is another. Without balance, nothing will work in the enterprise.”

Still, he said even if someone he knows sends him a link, he checks on it, “ because I do not take anything for granted. Compromised accounts happen all the time.”

In the view of Rohyt Belani, CEO and cofounder of PhishMe, security training should not encourage, “a state of paranoia per se, but the right level of prudence or vigilance when recognizing a potential attack.”

He noted that the Department of Homeland Security (DHS) and the New York Police Department both have “See Something, Say Something” campaigns, which don’t encourage people to become vigilantes, but simply to report anything suspicious to authorities.

Trevor Hawthorn, CTO of Wombat Security, said the goal shouldn’t be to create paranoia, but “smart skeptics.”

He likened it to a child learning to cross the street – it requires constant, and perhaps intense, parental involvement at the start. But eventually the child learns how to do it – with constant awareness of the danger that is not disabling. “The child will be able to cross on his own without feeling so fearful that he can’t cross a street,” he said.

Given the level of online threats, “awareness training needs to be constant,” he said. “Not only does it persist the message but it also makes the training and simulations the users’ ‘new normal.’”

Stacy Shelley, vice president and chief evangelist at PhishLabs, said while a constant state of distrust would be destructive, workers do need to have, “elevated levels of skepticism during circumstances when more scrutiny and distrust is essential. Those could include everything from a link or attachment in an email to a request from the help desk for one’s password to perform a remote system update.

rohyt belani

Rohyt Belani, CEO and cofounder, PhishMe

“Users need to be hyper-vigilant when the situation calls for it. Effective training should focus on helping users recognize those risky situations,” he said.

And Kevin Mitnick, once known as the “world’s most wanted hacker” and now head of Mitnick Security Consulting, said regular, even intense, awareness training shouldn’t have a negative effect on morale or productivity.

Join the CSO newsletter!

Error: Please check your email address.

More about CSODeloitteESETindeedIT SecurityLance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place