The Falacy of Security Awareness

Please prepare for a bit of a rant:

I’ve been in IT and Information Security for a long time.

When I started in the mid ’90s everyone said, “We need to educate the users”.

That mantra carried on through the years. Platforms changed. Computing grew more powerful. The Internet’s importance took hold and took off and reached beyond expectations.

Now we have cloud computing and *-as-a-Service and Bring Your Own Device (BYOD) and social media and … and … and …

I still hear security professionals say, “We need to educate the users”. And I sigh, meaningfully.

My daughter’s high school presented a mandatory anti-bullying seminar. In the two hours they covered every aspect of why bullying other students was wrong and could lead to terrible consequences. They conveyed why bullying was bad for all students and did so in an emotional and meaningful way. Everyone applauded at the end.

Coming out of the seminar my daughter heard a group of students approach one kid, surrounding him. “If you think that meant anything, you’re wrong”, they said.

The tormenting kids were eventually caught and punished, but the point here is that they went through “user education” and came out the other side more resolute to do the opposite.

Security education runs that risk plus over saturation plus resentment plus general ineffectiveness. Making things worse, many such programs I’ve seen treat employees like children unable to understand what is work related and what is personal.

My idea of user education is:

  • Present an Acceptable Use Policy, Employee Privacy Policy, and related materials to new employees on day one for signature
  • Every year as part of performance review, have each employee sign the latest version of the policies with changes highlighted and explained
  • Employees are encouraged to raise concerns at any time to HR or IT or IT Security or Legal or their manager without penalty

It’s also important that the company not hide behind security for unpopular internal measures. The best example of this I can think of is when a company’s legal department requires and enforces email retention policies. Too often the blame falls on IT. The business and legal need to step up. Such actions degrade IT’s relationship and authority with the user community. Occasionally legal and IT security risks align, but email retention is an example of direct conflict.

What are your thoughts? How is this handled in your organization, for good or for improvement?