Schneier, Winkler and the Great Security Awareness Training Debate

The value of educating people about cyber security is hotly debated these days, with opposing views on security awareness training coming from Bruce Schneier and Ira Winkler. Stephen Cobb weighs in.

The value of educating people about cyber security is hotly debated these days, with opposing views on security awareness training coming from Bruce Schneier and Ira Winkler. Stephen Cobb weighs in.

Unless you are in the information security business you might have missed the recent debate about the value of security awareness training, in which gents by the name of Bruce Schneier and Ira Winkler took apparently opposing points of view on the pages of Dark Reading. This debate is worth exploring because it could impact the way your organization allocates security resources, and the way you think about your own information security and data privacy. For the record, here is Bruce’s view and here is Ira’s counterpoint.

As it happens, I worked with both Bruce and Ira back in the twentieth century when I was developing and delivering both security awareness programs and security training to some well-known companies. And right there is the first point that I want to make as I review this debate: we do need, as Ira correctly points out, to distinguish between two concepts: security awareness programs and security training.

Some of the confusion between the two comes from a laziness of which I am as guilty as anyone. It is easier to refer to “IT security awareness training” than to say “IT security awareness and IT security training.” A good compromise is “IT security awareness and training,” or to be more fashionable, and arguably more relevant, cyber security awareness and training. I will come back to the cyber aspect in a moment, the point is, security awareness can be raised by training, but that is not the same as security training. For example, I agree with Bruce that:

“we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.”

This is a fine notion and one that I have implemented in the past in real-world programs where we addressed the information security of an organization on multiple levels:

  1. Security awareness raising presentations to executives: so they understand the seriousness of the threats to the organization and get behind security measures, including security training and the security awareness program.
  2. Security training for IT managers: so they understand their role in defending the organization’s data and systems.
  3. Secure development workshops for developers: so they can do a better job of baking security into the systems they develop for the organization.
  4. Security awareness sessions for all employees: so they understand their role in maintaining the security of data and devices.

Note that spending money on security training developers was not done instead of educating employees. Also note that I have tweaked point #4 in accordance with the times. Ten years ago, the goal for all employees might have been stated as “understanding their role in maintaining the security of the organization’s data and systems.” Today, everyone is a computer user. A lot of our computers are simply called digital devices, and they can all potentially impact both the individual using them and the organization for which they work. This is a reality which undermines the hopes and dreams of a security strategy that can be characterized, in the extreme, like this:

  • Make the systems secure so the users of the systems don’t need to understand security.

I have watched those hopes and dreams falter for more than two decades, but I’m not ready to say “stop wasting money trying to make systems secure because it hasn’t worked so far.” And I am not saying that this “security-purely-through-technology approach” is exactly Bruce’s position, but there are echoes of it in his article:

I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.

My first response to this is that we are not spending enough on training users, period. Organizations routinely hire people for positions that require the use of a computer without either a. asking for proof of user skills, or b. holding the term “user” to any meaningful standard. Consider just a simple conversation between employer Q and applicant A:

  • Q. Do you know how to delete a file?
  • A. Yes.
  • Q. How?
  • A. You drag it to the trash.
  • Q. And then it’s gone?
  • A. Yes, I guess.

Are you comfortable allowing someone with that level of knowledge and skill to use your computers? Are your systems brilliantly designed by developers trained in security so that the people who use them don’t need to know how to delete files? They are? Then what happens when you hire A and some of your files get onto his smartphone and you tell him that’s wrong, he must delete them?

We found that less than one third of Americans had received any computer security training.
For me, the fact that everyone is a user of computers and networks, at work and at play, inside the office and out, means everyone needs educating, to a reasonable level, in the basics of cyber security. (While some folks joke about the overuse of the term “cyber,” it strikes me as a handy way of referring to the ubiquity of inter-connected digital technology.) For example, everyone today, from employees to bosses, to parents and kids, should know how to put a passcode on their smartphone AND why that is a good idea. They should know how to come up with a strong password AND why that is important. Those are examples of cyber security training (how) and cyber security awareness (why). For the foreseeable future we need both, for everyone. But last year, when we asked people about security training, we found that less than one third of adults had received any computer security training at all, ever (this result was replicated across two surveys and included people who were using a computer for their work). Findings like that make it hard to argue that security training doesn’t work. It’s like saying your antivirus software doesn’t work when in fact you’re not actually using it.

Bruce used an interesting phrase in his support of security training for developers: “raising the average behavior increases the security of the overall system.” As I see it, the overall system today encompasses the Internet and all things connected to it. That ubiquity means we need more security training for developers, but also more effort to:

  • raise the security awareness of everyone in society
  • improve the average behavior in the world at large

I love technology, but I have found that every major technology, from steam trains to smartphones, has a downside that ultimately needs to be addressed through a concerted effort that encompasses all of society. The challenge of securing systems and the data they handle cannot be met by technology alone. We the people need to behave better and smarter. In my opinion we need more better cyber security awareness programs and more better cyber security training, not less.