Security awareness failures
by Anton Chuvakin
In my old SANS webcast titled "What's NOT Working in Security in 2004" I mentioned security awareness as one of the failures. This insightful blog entry from a controversial (due to the "death of an IDS" report of 2003) Richart Stiennon highlights the faults and inherent limitations of security awareness training.
Granted, it is very hard if not impossible to develop technical safeguards agains social problems (like employee abuse and 'social engineering' attacks), but using security awareness training to plug the holes in technical security countermeasures is not going to work either. Here are some of the highlights: "Security awareness training is like the "Quidado!" sign a hotel or airport erects over a puddle in the middle of the hallway. A dangerous situation is addressed with a sign instead of the immediate application of a mop."
And even harsher: "I say no. Education is not key to security. Good security technology is key to security." He then continues to escalate to this: "If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed."
not so black and white
One could argue that if you need technology to prevent your people from doing something they shouldn't you didn't educate your people as to what they're supposed to do...
Maybe you gave them the wrong tool indeed which allowed that insecure activity, but isn't that a case of the wrong technology and not a case of not enough technology? Why not give them a too without that insecurity rather than use yet another tool to prevent that insecurity from becoming a problem?
I think we need to drop the "tools" analogy, because it confuses the issue.