Are security awareness campaigns a waste of time?

I have just read a pungent US article titled “Why you should not train employees for security awareness” . It has been codemned by the American equivalent of “the usual suspects”. They defend awareness exercises while failing to address the core message. Indeed the article itself failed to follow through on its own argument: that awareness training is no substitute for mandating security by design in new systems, not just patching them after a penetration test has shown the vulnerabilities.

I get annoyed when I hear the mantra, “80% of problems can be fixed by awareness”. It is blatantly untrue, unless “awareness” includes that on the part of (for example) “app” developers that they will themselves be held professionally accountable if they fail fail to follow good practice. That, in turn, require the IT industry to finally discover the concept of “professional accountability”.

I recently heard of the efforts of a major organisation to train its development staff to routinely ensure that “extraneous inputs” (my words not theirs) could not be used to enable hackers and malware to “escape” (again I have simplified) from their “apps” and exploit the 20 and 30 year old known vulnerabilities (e.g. to SQL injection) that are still commonplace on apps and devices being shipped this year.  They had a very sensible and practical approach. What I found most interesting  was that it was not only so necessary, but also so difficult, to mandate good practice in the light of current professional norms.

The STC chief programmer who ensured my systems followed his structured programming disciplines had no such difficulty. Before hand-over I had to put down £5. Any member of the department could put down 10 shillings and subject my work to the 1960s equivalent of a penetration test. If they succeeded I then had to cover a full round in the only pub in Basildon that would hold them all. Failure to secure the input and inter-operability routines, before the users got their hands on the system, could be very expensive.

I happen to also believe in the value of awareness exercises. I help run the Information Security Awareness Forum and have agreed to be an ambassador in support of the next Get Safe Online Campaign. One of the items for the next meeting of the Forum is a review of the current research on “behaviour change” – supposedly the objective of any awareness campaign. I will ask whether anyone is interested in helping organise an awareness  campaign to change the behaviour of the app developers who condemn so many of us to be victimised, however many  anti-malware products we install to slow down our systems as they fight each other for control while failing to protect us against well-targetted phishing.

I would very much like to see such an exercise under the umbrella of the new Digital Policy Alliance (website currently under construction) to implement the recommendations it inherits from the EURIM Security By Design Group.         

Enhanced by Zemanta