It takes two to tango, and at least two opinions to tangle. That's why the security awareness panel held during the recent RSA conference was so frustrating: There was a remarkable lack of diversity in opinion. I attended with hopes for a proper debate, but that would require intelligent dialogue from representatives on both sides of the issue at hand.
Only one of the panelists, Hord Tipton, argued in favor of security awareness, and he did so mildly. Bruce Schneier had decided at the last minute to argue against security awareness -- a decision that may have given some people the impression that security awareness training is indefensible. Other panelists admitted that their experience with security awareness is tangential at best. Dave Aitel, whose negative opinions on security awareness are well documented, stated very early on, "I don't have experience managing a large program."
With all the panelists other than Tipton demonstrating a fundamental lack of understanding of security awareness, they perpetuated the myth that security awareness programs are ineffective and expensive. But they did worse than that. Aitel, for example, stated, "If you use security awareness as a protective layer, you're opening yourself up to malicious actors like Bradley Manning." That is just wrongheaded. In fact, Manning's co-workers reported him to superiors, as awareness recommends, but those superiors failed to act. More importantly, the Manning case demonstrated countless failures in security technology that facilitated Manning's crimes. Despite those technology failures, if those in charge had taken seriously the concerns of Manning's peers, his attack may have been thwarted.
Others made objections that seemed irrelevant. Francis Brown stated that security awareness wouldn't have stopped recent breaches that were initiated when users visited a previously benign and much-frequented site that had been compromised so that malware would be installed on visitors' computers. Brown's point seemed to be that security professionals can't make users aware that a site might be dangerous if they themselves don't know that it might be dangerous. Well, OK, I guess that's true enough. But why does he think that security awareness seeks to tell users which sites they can and cannot visit? That's an impossible task. What security awareness training can do is to teach users about things like website checkers, which can limit their vulnerability to bad sites. And no one ever said that security awareness should be the full extent of a company's security efforts. It's a supplement to the technology that we all can use to make our companies safer.
In any event, the sorts of watering-hole attacks that Brown cited are insignificant in number compared to attacks caused by human error. And human error can indeed be ameliorated with security awareness training, though it is impervious to technology fixes.
Sign up for CIO Asia eNewsletters.