Skip Links

5 myths about awareness

Lance Spitzner of SANS Securing the Human program outlines five common misconceptions about security awareness programs

By Lance Spitzner, CSO
February 11, 2013 02:22 PM ET

CSO - I'm often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong.

[RELATED: 13 security myths]

1. Training does not work

I often hear people say: "Awareness does not work. I have never seen an awareness program actually change people's behavior."

To be honest, I have to agree with this statement. Most awareness programs in the past have failed to change behavior. However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested.

[3 reasons why employees don't follow the rules]

These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter.

For an awareness program to effectively change behavior, you need to create a program that is designed from the ground up to change behavior.

2. It's not worth it because someone will still mess up

People tell me that awareness is a failure; that no matter how much you train people, there is always a small group of people that will still fall victim. Folks, security is all about reducing risk, not eliminating it.

Awareness is nothing more than another security control. Why people hold awareness to a different standard is something I'll never understand. Awareness is no different than encryption, firewalls or intrusion detection. However, with awareness, you can get a tremendous return on your investment, in many cases reducing up to 95 percent of the human risk, according to measurements taken in phishing tests. Show me any other control that will get you that type of ROI.

3. People already know what to do

I've read interesting reports from academics that say people already know what secure behaviors to follow, they just choose not to follow them.

Wow, where are these people getting their data? With the organizations I work with, not only do people usually have no idea what secure behaviors they should follow, but they are also hungry to learn. They know there are bad guys online, but they don't know what to do to protect themselves from them. The problem is not the people. The problem is that we are not effectively training them. What is the number-one thing that, in my experience, people did not know? They had no idea that keeping operating systems and applications current was critical to keeping their computers and mobile devices secure.

[Maybe you shouldn't train employees for security awareness?]

4. It's all about prevention

When people discuss awareness, they usually focus on just prevention --they're trying to implement the idea of the "human firewall." While prevention is important, why limit ourselves? Why not train people to become human sensors as well?

Teach workers the indicators of a compromise and have them report potential incidents. For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News