It takes two to tango, and at least two opinions to tangle. That's why the security awareness panel held during the recent RSA conference was so frustrating: There was a remarkable lack of diversity in opinion. I attended with hopes for a proper debate, but that would require intelligent dialogue from representatives on both sides of the issue at hand.
Only one of the panelists, Hord Tipton, argued in favor of security awareness, and he did so mildly. Bruce Schneier had decided at the last minute to argue against security awareness -- a decision that may have given some people the impression that security awareness is indefensible. Other panelists admitted that their experience with security awareness is tangential at best. Dave Aitel, whose negative opinions on security awareness are well documented, stated very early on, "I don't have experience managing a large program."
With all the panelists other than Tipton demonstrating a fundamental lack of understanding of security awareness, they perpetuated the myth that security awareness programs are ineffective and expensive. But they did worse than that. Aitel, for example, stated, "If you use security awareness as a protective layer, you're opening yourself up to malicious actors like Bradley Manning." That is just wrongheaded. In fact, Manning's co-workers reported him to superiors, as awareness recommends, but those superiors failed to act. More importantly, the Manning case demonstrated countless failures in security technology that facilitated Manning's crimes. Despite those technology failures, if those in charge had taken seriously the concerns of Manning's peers, his attack may have been thwarted.
Others made objections that seemed irrelevant. Francis Brown stated that security awareness wouldn't have stopped recent breaches that were initiated when users visited a previously benign and much-frequented site that had been compromised so that malware would be installed on visitors' computers. Brown's point seemed to be that security professionals can't make users aware that a site might be dangerous if they themselves don't know that it might be dangerous. Well, OK, I guess that's true enough. But why does he think that security awareness seeks to tell users which sites they can and cannot visit? That's an impossible task. What security awareness can do is to teach users about things like website checkers, which can limit their vulnerability to bad sites. And no one ever said that security awareness should be the full extent of a company's security efforts. It's a supplement to the technology that we all can use to make our companies safer.
In any event, the sorts of watering-hole attacks that Brown cited are insignificant in number compared to attacks caused by human error. And human error can indeed be ameliorated with security awareness, though it is impervious to technology fixes.
The panelists seem not to believe that users are trainable, though. For them, users are the great unwashed, and they would rather not sully themselves by associating with them. This was Brown on the topic: "It's a mistake to think that users can exercise judgment." Actually, users can exercise judgment. It's technology that's incapable of doing that.
Schneier took that hostility to users up a notch by proclaiming that those who exhibit poor security behavior should be fired. He seriously proposed that users who piggyback or use a bad password should be shown the door. If this idea were adopted, there would be a whole lot of firing going on -- especially if companies make no effort to educate those users about security. And users at all levels make these mistakes, from lowly interns to CEOs. Unless a company is prepared to fire its CEO for sharing his password with his secretary, it shouldn't be firing interns who hold the door open for another employee.
Oddly, it was "Fire Everybody" Schneier who also asked, "Do we need to train everyone to be a security expert?" (Schneier's thoughts on security awareness are more coherently presented in this blog post than they were at the conference.) It was yet another comment that betrayed a basic misunderstanding of what security awareness actually is. The aim is not to turn users into security experts, but to train them on the basics of security and so help them make informed decisions. Since Schneier made a point of comparing security awareness to driver's training, I have to ask: Does driver's training try to make students professional race car drivers, or simply informed basic drivers?
I suppose that if you have an us-vs.-them attitude toward users, you can't even recognize one of the primary benefits of security awareness: It can be an opportunity to form a connection between the security department and the user population. Security awareness puts a face on the security team and teaches users to whom to report incidents or suspicious occurrences. Too often the security department is seen as the Department of No, as Tipton pointed out, but security awareness is an opportunity to counter this. And it might also help some arrogant security professionals recognize that users aren't too stupid to make intelligent judgments.
I do believe that there was arrogance on display. Tim Wilson, the moderator, refused to allow questions from the audience, though that is the norm during RSA sessions. That decision enraged the audience, which began to yell at the panelists when denied the opportunity to speak.
Interestingly, in the end, this non-debate debate had another effect on the audience that I would not have expected. They were asked both at the beginning and the conclusion of the session whether they thought security awareness was worthwhile. The first time they were asked, a very small number of people raised their hands. The second time, after the debate, the vast majority raised their hands. Who would have expected a stacked debate to have such an outcome?
Samantha Manke is executive vice president and chief knowledge officer of Secure Mentem. She can be contacted through the website, securementem.com.