Guest article by Dror-John Roecher

Security Awareness – YAH1!

Security Awareness has been around for many years now but just recently it seems to have reached new levels of attention and implementation – simply because there is money to be made in the game. Fancy video-clips, high-color-prints, gimmicks, puzzles and other stuff from the (guerilla) marketing are spreading towards InfoSec managers. A video clip is more tangible than a policy; a gimmick is more present than a firewall. It is a matter of Zeitgeist to have a Security Awareness campaign or program.

Rationale behind Security Awareness

The rationale behind Security Awareness is that users play a crucial role in insecurity, that security is increased by following some simple rules and that rule-adherence is increased by understanding the why and how of these rules.

The Short Rant against Security Awareness

But let’s just ask one simple question: Do security awareness campaigns make sense and are they worth the money spent on them? The short answer is: no and no.

A longer Explanation

At the heart of just about all awareness campaigns I have seen so far are usually the same 3-4 messages. Adhere to the following policies:
1) Clear-x-Policy (x = Desk / Screen)
2) “Work in Public Space”-Policy
3) Password-Policy
4) Challenge-Strangers and Tailgating-Policy

Security Awareness Is Ineffective

Employee-fluctuation cripples effectiveness: Healthy employee-fluctuation is 10% p.a. – that is commonly agreed on. Certain businesses have much higher rates (Call Center ~ 50%). Security awareness programs are built as campaigns, usually telling a story in a chronological step-by-step fashion (step 1: built up the tension, step 2 introduce basic concepts based on step 1, step 3 take tension to the next level, step 4 introduce advanced concepts based on step 3). They read like movie-plots, where the employees need to fight against a smart, evaporate adversary. They have a start and an end. After the story is finished, in order to produce some sustainability there may be yearly trainings, an occasional newsletter, and a poster and so on. But the actual campaign has finished. If you missed it – tough luck. If you got hired while it was ongoing or after it finished – tough luck. Tough luck only for a year or two – because after that you will remember just as much as anyone else – which is usually just about nothing. And in my opinion constant repetition will not change that.
I doubt that policy-adherence is significantly increased by understanding the “why and how” of a given policy. As long as there is no tangible, immediate benefit or a personal affinity for a user, awareness campaigns will not dramatically increase policy-adherence. There are numerous examples in the offline-world to prove my point: Car-drivers speed, even though they are constantly told, that speeding can kill. Tax-payers cheat on their tax-declarations, even though everyone understands, that the government needs the tax-money to keep up public life.  People eat unhealthy food, even though health is constantly present in TV, magazines and other public media –even though people have a direct benefit from eating healthily. So why should that be any different in digital-corporate space?
Security Awareness Is a Step in the wrong direction
Let’s have a look at the development of malware-protection in corporate environments. This example will serve to prove the point, that awareness is a step in the wrong direction. When AV-programs were first introduced in corporate environments, they were configured for “local interaction”. When the program found something suspicious, it asked the locally logged on user, what to do (delete, clean, quarantine, ignore, report, cancel). How did users react? However they liked. Were they qualified to make the “right decision”®? Usually not. Did this increase security? Not really. As a reaction to the immanent problems associated with this “local interaction” mode, corporations started to roll out a “central-interaction” mode where users where left out of the responsibility to make the “right decision”®. Malware found its way into Email and the web; corporations reacted by installing central filters in their email- and proxy-chains. Again, users were left out of the decision. Nowadays we have a broad coverage of malware-protection (and still malware hits most environments, so we are still not performing well – or maybe the tools we are using are not aiming at the right angle/are the wrong tools) and there is just about zero user-interaction. We purposely keep the user out of malware-protection, simply because we do not trust their capability to take the “right decision”® (and there are multiple other examples, were trusting a user usually leads to decreased security- take SSL-certificates for example).  All in all I believe it is good to relief the user of the burden to take the “right decision”® – let them do their work and ours is to make the environment adequately secure.
Security Awareness on the other hand heads in exactly the opposite direction: Put more trust and responsibility on the user. Let the user take the “right decision”®.  That is a sad excuse for our failure to provide a secure environment.
So let us take a short look at the policies from above, which are usually addressed by security awareness:
Clear Screen Policy: The rationale behind this policy usually makes perfect sense: don`t let others/strangers see what you are working on, when you leave your computer. Lock the system when you leave it even for the shortest period, close all documents at the end of the day or when they are finished.
This policy asks the user to adopt his working-habit – without even offering him a benefit. Why should he do that? Instead we should built systems, which automatically “lock on leave”. And how much of a risk is it to leave a document open?
Clear Desk Policy: Similar to the clear-screen, the clear-desk aims at avoiding data-leakage through printed documents – by locking them away or secure disposal. Reasonable on first thought, but unnecessary if we finally manage to build “almost paperless environments”. The need to print should and I believe can be dramatically reduced – for ecological, economical and security reasons. It is about how we organize work and the environments we work in. If you say that the paperless office is a wishful dream, think about how Apple made it possible to make money of music on the internet – something all of the established music industry failed to realize until it was too late. That is a fine example of embracing change.
Password Policy: My first exposure to the dark side of IT-security was a friend of mine showing me how to use John to get the root-password of a UNIX system at the university – that was almost 20 years ago. We all know of the problems associated with password-usage. And we have all told our users numerous times to choose secure passwords. And almost nothing has changed over the last 20 years. Passwords are one of the major failures of security. We should stop telling people about “good passwords” (passwords are like underwear: change frequently, keep private, choose fancy ones) and “bad passwords”. I postulate: all passwords are evil. We should work to get rid of passwords instead of wasting money on ineffective password-policies and password-awareness. Let us finally get rid of passwords and replace them with something better.
Tailgating: There are untailgateable systems – use these. And have a clear physical boundary between “public space” and “corporate space” – don’t put public conference rooms in corporate space. Again, we can built environments, where tailgating is not a problem – and therefore make the awareness-nonsense, which doesn’t work anyway, obsolete.
Work in public: This one is a tough one – we are talking about “notebook work” and “telephone work” in public. The best approach would be to reduce the amount of travelling going on – that would have the nice side effects of cutting costs and improving the work-life-balance of employees. Where travel is necessary, we can provide users with simple technological means to prevent shoulder-surfing: Today it is a foil we put on laptop-displays, tomorrow we may be using glasses which project directly on to the eye. The “automatic-lock” feature from the clear-screen-policy will help here, too. This leaves us with the “telephone in public” problem. And to be honest, I do not have an idea how to prevent people from yelling corporate secrets across trains or airports. There are people who always shout when they are on the phone. And I don’t believe that anything will change their behavior – no security-awareness campaign and no complaints by fellow travelers or coworkers will help. The only hope I have is for a direct brain-phone-interface which renders the usage of our voices for phone-calls obsolete – but that is certainly a wishful dream for the next couple of decades.

Spend the money on developing a strategy

Most companies I work for do not have a “Security Vision” or a broad Security Strategy. They are overwhelmed by operational demands, driven by the daily need to cope and do not have time or money to strategically think about the future. Technology is rapidly changing, internet-savvy employees are hitting corporate space, and privacy may soon be an obsolete concept – as is the perimeter today. We need to develop visions and strategies, we need to embrace change and guide corporations, we need to built environments and systems, where policy-adherence is automatic and where we get rid of useless security concepts like passwords. Instead of wasting time and money on awareness, we should invest in visions, strategies and new concepts.

awareness | Post your comment here.