Security experts agree that humans are the weakest link in the security chain. Virtually all of them agree that security awareness training can strengthen many of those weaknesses.
But how best to do that can generate some debate.
Lysa Myers, a security researcher at ESET, summarized in a recent post what she said was a collective message from several presentations at the recent Black Hat conference: While it is possible to train employees to be "hyper-vigilant, it can create more problems than it solves.
“It is not beneficial for the individual or for harmonious group dynamics to be in a constant state of distrust,” she wrote.
The presenters, who included Zinaida Benenson, of the IT Security Infrastructures Lab at the University of Erlangen-Nuremberg; Jelle Niemantsverdriet of Deloitte; and Judith Tabron of Hofstra University, emphasized the need for security trainers to listen to users and adapt education and security defenses to, “how people actually do their jobs.” While that would not eliminate security failures – indeed, nothing will – it would, “make it easier for people to make better security decisions more often,” Myers wrote.
Benenson, in a presentation titled, "Exploiting Curiosity and Context," reported on the results of two user studies where more than 1,600 university students received spear phishing messages from non-existent people. The percentage of those who clicked on what would have been a malicious link ranged from about a third to more than half – 56 percent.
The students’ reasons for clicking ranged from curiosity, being addressed by their first names, receiving a message that fit their lifestyle or thinking they knew the sender.
“Therefore, it should be possible to make virtually any person click on a link,” Benenson wrote in a summary of her presentation, adding that expecting, “error-free decision making under these circumstances seems to be highly unrealistic.”
Sending regular spear phishing messages to employees to test their awareness, she argued, could be counterproductive. “People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive,” she wrote.
That argument gets mixed reviews from a number of experts, although in many cases it comes down to how one defines hyper-vigilant. Nobody thinks security training should leave workers feeling paralyzed or paranoid, but given the variety, sophistication and level of threats, most say a bit of paranoia is a good thing.
Sign up for CIO Asia eNewsletters.