Securing the Human and Missing the Point
SANS (after acquiring Lance Spitzner) has launched a new security awareness program called “Securing the Human“. And, while I applaud them for getting on the bandwagon and realizing that the users are the big threat (and I’ve always been a fan of Lance’s work), they manage to completely miss the point (which Aaron mentioned in his previous post).
Without being too dramatic, I spent a few hours going through the demos of their content and it just made me sad. The content is hokey, poorly edited (note the typo on the Protect Your Passwords poster – should be “use”, not “used”) and guaranteed to do little more than bore the users to death without modifying behavior in the slightest.
Here’s the thing: security awareness is a misnomer. When MAD helps organizations with their security awareness programs, we don’t care if the users are aware. We care that they make the appropriate decisions. Not that they know WHY they’re making the decision, just that they do.
It is exactly the same stance that marketers take. Proctor and Gamble doesn’t care that when you enter your nearest Walmart that you know all of the reasons that Tide is the best detergent. They don’t care that you’re “Detergent Aware”. They care only that, when placing a box of detergent in your cart, that it’s Tide.
Similarly, I don’t care that you know WHY you should use good passwords. I care only that you do. And I can incent you to do that a million different ways that involve no (boring) posters, (sad) screensavers, (unwatchable) videos or (immediately discarded) newsletters.
Here’s the point that SANS missed – we’re taking technologists and trying to treat user behavior modification like system design. It doesn’t work like that. People aren’t puppies. And they aren’t machines.
Edit, video removed by YouTube:
An exercise for the reader: Figure out why this video has been watched over 145,000,000 times and you’ll understand why your users ignore your security awareness messages.