Schneier: Security Awareness Training 'a Waste of Time'

An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

Obligatory car analogy

[qbast]

It demonstrates that car industry has failed. We should be designing systems that don't need seatbelts and don't care if user decides to slam into a tree at 100km/h. Whole concept of secure driving is just an abstract benefit that gets in the way of enjoying driving.

Re:Obligatory car analogy

[mwvdlee]

To stay closer to the original analogy...

Would you drive a car randomly left by the side of the road with big stickers on it saying "You may be eligable to win $1mln if you drive this car!!! (paid for by Soilent Green Corp.".

Re:Obligatory car analogy

[DMUTPeregrine]

No, he's saying that we should be adding seat belts and anti-lock breaks and eventually self-driving cars to eliminate the need for the user to focus on safety in driving. He's arguing that the safety should be built into the system, and not rely on the judgement of the user. That's the exact opposite of your example.

Re:Obligatory car analogy

[philip.paradis]

Bruce is right. In many environments, information awareness training is an attempt to solve the problem at entirely the wrong end of the failure chain, and is frequently ineffective. It may be difficult to hear for some, but the fact is that such training simply doesn't have a great track record of producing significant overall gains in organizational security, largely owing to the difficulty of mitigating widespread stupidity on the part of human operators. Most companies are not wholly staffed by information security experts, and any perceived near term security gains following training sessions quickly erode as employees revert back to an attitude of "I just want to do X, Y, and Z, and I'm too busy to keep thinking about those scary stories portrayed in last week's training."

Even military environments suffer from these training challenges. The difference in a military unit is the very real possibility of going to prison for merely mishandling cryptographic material on accident. On the "low" end of the punishment scale, there's more than a few senior enlisted military comms folks out of a job because of such process failures. I served with one such person.

It's worth noting in closing that you might want to spend a bit of time looking into who Bruce Schneier is before framing him in any additional snarky quote marks. To say this is a man who typically knows what he's talking about is an understatement.

Re:Obligatory car analogy

[hairyfeet]

Sorry, been in PC retail for nearly 25 years and I can tell you training the grunts? NEVER works. Now training the IT staff? Sure send 'em to blackhat, pay for security classes, those ARE good investments that will see return, but Sally the secretary, that sees the PC as a magic black box that lets her do her work? Sorry but its gonna go in one ear and out the other.

It would be like trying to teach me how to rebuild cars, i don't like cars, never cared about what model I drove, I just don't give a damn as long as it gets me from A to B and THAT is how many of your employees see the PC. They don't want to know about the thing, couldn't care less what its doing as long as they can get their work done and punch out, they have not the slightest interest in PCs which if you don't have any desire to really learn? Not gonna stick.

So i have to agree that paying to train the regular staff is just a waste of time and energy. Much better to make sure you have well trained IT staff that can minimize the risk that your end users will have because frankly you are just wasting your breath when you try to teach somebody who doesn't care about PCs how to securely use one.

Re:Obligatory car analogy

[Idarubicin]

You really, really, really don't know who Bruce Schneier is, do you?

Moreover, you really couldn't even be bothered to do a simple Google search before you shot your mouth off, could you?

In a way, you're actually making Schneier's point. Posting a snarky Slashdot comment is easy and instantly gratifying; doing the least bit of research is a little bit harder and doesn't pay off immediately -- so you can see which happens more often.

Re:Obligatory car analogy

[Opportunist]

Lazy bums aside, employees are most concerned with getting their work done. Security is usually one of the things that gets in the way of this. I'm often appalled by the way quite a few companies handle security (I tend to see more than my fair share being a security consultant), it often seems they have some CISO who needs to build a monument for himself, showing off how much he works by making sure EVERYONE knows about it by the sheer number of hoops that they have to jump through. That's how you get amazingly stupid setups for passwords like "at least 12 characters, no 3 characters of the alphabet in consecutive order, at least 2 numbers not at start or end and not next to each other with at least 2 special characters ....yaddayadda".

If you see anything like this, start flipping keyboards and count the ones that contain post-it notes with the passwords du jour (because of course they need to change every other nanosecond, too).

This has nothing to do with security, people, this is what I dubbed "Monkey Island Security". You remember Monkey Island? Where Guybrush gets jailed by those cannibals and they start putting up more and more elaborate doors every time you escape through the wall? That's what some do in IT security, we get more and more elaborate and time consuming hoops our employees get to jump through while those that want to bypass security can easily ignore that because the problem lies elsewhere.

NO, and I mean ZERO, security breeches that I have been aware of in the last two decades can be traced to password guessing. It is amazing, though, how more and more breeches that can be blamed on personnel blunders can eventually be traced to them trying to cope (yes, cope) with security. Post-its containing passwords. Security measures unhinged or bypassed by employees because it actually kept them from doing their work. And so on, so forth.

Security does NOT mean annoying your employees. Perfect security would actually be nearly invisible to your employees. Because that would also include them not being part of the security system, hence, not being able to fuck it up!

Invalid comparison

[Aethedor]

He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.

Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.

Tick the box exercise for auditors

Security Awareness training is a tick the box exercise most companies do to get auditors off their back.

Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?

Users have to be "trained to pick good passwords". This should be system designed to prevent users from picking bad passwords in the first place.

Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. Oh, users should be told "not to write down passwords".

Awareness training is pushed because there are a number of so-called "security consultants" who have no real technical skills, yet have made a living pushing this snakeoil. They unfortunately are also good self-promoters and have the ear of regulators and auditors.

If you are relying on security awareness to protect your infrastructure, you're screwed. Most users don't care, and even those who do care cannot possibly be expected to remain aware of the myriad of threats that exist. Often, their attempts to remain secure achieve the opposite purpose ("I heard you tell me email was insecure, so I use dropbox now to transmit files to customers").

What galls me most is I have to spend part of my IT budget this year spending money on this stupid notion because it is expected by auditors. This means I have to cut back on the security projects that make a real difference.