The merits of fostering security awareness always make for an interesting debate. Some believe trying to teach end users or consumers how to be security conscious is as effectual as tossing a pebble into the ocean. Conversely, there are those like Tony Neate.
Neate, managing director of U.K.-based Get Safe Online, a joint public-private security education initiative aimed at individuals and small companies, is a passionate proponent of security awareness initiatives. In a time when more than three-quarters of the U.S. population and three-fifths of the U.K. population use the Internet regularly, he believes governments, ISPs, vendors and enterprises have a joint responsibility to teach the public not only how to protect themselves and their companies, but also about the increasingly complex ways in which they can be victimized.
"People know what theft is; they know what bank robbery is," Neate said. "Now they also need to know what phishing is and what hacking is, because these are crimes that are with us and they are not going to go away."
Neate's organization is concluding Get Safe Online Week in the U.K., an effort that seeks to raise awareness of Internet security issues through an array of events, competition and public outreach, similar to the Department of Homeland Security's recent National Cybersecurity Awareness Month .
Neate encourages companies to use a mix of security awareness training methods like Get Safe Online does, including expert speakers, statistics and research, attack scenarios and behavioral training.
Yet this is where the security awareness debate can become contentious. In many organizations, the security staff is already stretched too thin, the budget for security awareness training is nonexistent, and even when security awareness programs are implemented, they are often ineffective because, as Lance Spitzner writes in the October 2010 issue of Information Security, "Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company."
"A lot of day-to-day security professionals think security awareness is a waste of time," said Mike Rothman, analyst and president at Phoenix-based security research and advisory firm Securosis LLC and author of the book The Pragmatic CSO. "These folks need to take a step back and have the awareness to do [security awareness] correctly; it can minimize the percentage of people who do stupid things, which allows you, the security professional, to focus on the minority of people who are going to do stupid things no matter how much you train them not to."
Rothman advocates a pointed security awareness strategy for enterprises that shuns formal training and instead focuses on tests for individuals or groups of users that mimic the real-world risk scenarios users often face when sensitive personal or business data may be at risk.
"By running an internal phishing experiment, for instance, when users [fall prey] to it, then you have the opportunity to educate them on how they can identify those messages," Rothman said. "Those kinds of awareness programs are an order of magnitude more effective than a sign by the bathroom or a four-hour training once a year."
Almost as controversial as security awareness training methods is the question of whether enterprises should train employees on how to keep their personal data safe. Neate said a large organization he has worked with in the U.K., after finding traditional security awareness training ineffective, decided to instead focus their training sessions on teaching users how to use the Internet securely at home.
"They got droves of people to attend because people realized it was going to be useful to them at home, but it works both ways, at home and at work," Neate said.
Similarly, Rothman said companies should worry about how employees conduct themselves online when they are not on the clock. Clicking on a malicious Facebook app while using a company laptop, after all, can still put sensitive enterprise data at risk. Rothman also noted that if parents know how to act securely online, they'll pass that knowledge to their kids.
"How do we protect this next generation of kids who have all these tools at their disposal so they grow up knowing how to use them responsibly?" Rothman asked. "That's one of the most significant issues we have in today's tech-enabled society."
For parents, enterprises and groups like Neate's, measuring success when fostering security awareness is perhaps the most vexing challenge. Still, Neate, who retired from fighting cybercrime four years ago, knows the process of educating the masses is going to be slow, but is optimistic that even one ripple in the ocean of security awareness can go a long way.
"I'm passionate about people being secure on the Internet," Neate said. "I hate the bad guys, and I spent 30 years enjoying locking them up. Now, I want to make sure they don't prevent people from being safe and secure online."
Eric B. Parizo is Senior Site Editor of SearchSecurity.com. His rants can also be heard on SearchSecurity.com's Security Squad podcast. Contact Eric at firstname.lastname@example.org.