Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Awareness training: How much is too much?

Taylor Armerding | Sept. 16, 2016
Security awareness training is one of the most effective ways to strengthen what is generally known as “the weakest link in the security chain.” The key is to make employees skeptical without paralyzing them with paranoia

Cloudsec Banner Singapore 2017

Stay up to date about the latest cybersecurity threats and best practices at 
CLOUDSEC 2017, 22nd August 2017, Singapore. Click here to attend

Security Awareness


Security experts agree that humans are the weakest link in the security chain. Virtually all of them agree that security awareness training can strengthen many of those weaknesses.

But how best to do that can generate some debate.

Lysa Myers, a security researcher at ESET, summarized in a recent post what she said was a collective message from several presentations at the recent Black Hat conference: While it is possible to train employees to be "hyper-vigilant, it can create more problems than it solves.

“It is not beneficial for the individual or for harmonious group dynamics to be in a constant state of distrust,” she wrote.

The presenters, who included Zinaida Benenson, of the IT Security Infrastructures Lab at the University of Erlangen-Nuremberg; Jelle Niemantsverdriet of Deloitte; and Judith Tabron of Hofstra University, emphasized the need for security trainers to listen to users and adapt education and security defenses to, “how people actually do their jobs.” While that would not eliminate security failures – indeed, nothing will – it would, “make it easier for people to make better security decisions more often,” Myers wrote.

Benenson, in a presentation titled, "Exploiting Curiosity and Context," reported on the results of two user studies where more than 1,600 university students received spear phishing messages from non-existent people. The percentage of those who clicked on what would have been a malicious link ranged from about a third to more than half – 56 percent.

The students’ reasons for clicking ranged from curiosity, being addressed by their first names, receiving a message that fit their lifestyle or thinking they knew the sender.

“Therefore, it should be possible to make virtually any person click on a link,” Benenson wrote in a summary of her presentation, adding that expecting, “error-free decision making under these circumstances seems to be highly unrealistic.”

Sending regular spear phishing messages to employees to test their awareness, she argued, could be counterproductive. “People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive,” she wrote.

That argument gets mixed reviews from a number of experts, although in many cases it comes down to how one defines hyper-vigilant. Nobody thinks security training should leave workers feeling paralyzed or paranoid, but given the variety, sophistication and level of threats, most say a bit of paranoia is a good thing.


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.