- Doug Jacobson, Julie A. Rursch
Most organizations spend thousands of dollars on the latest technology to heighten security and yet overlook one of the lowest cost options available -- increasing security literacy in its employees. The ancient Chinese proverb is true: "Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."
And, we don't mean create an enterprise security awareness program with catchy slogans and no real security education. Teach employees why security is important and show them how hackers use vulnerabilities, created by human carelessness, to attack enterprise networks and computer systems.
Too many times, organizations treat employees as if they can't comprehend the security threats that we try to protect them from technologically. End users love to download software for their PCs and applications for their personal devices to help them with their work or provide some personal enjoyment. Unfortunately, many of them don't ever consider the possibilities of backdoors, spyware, ransomware or botnets being installed as side effects of their activities. However, if we properly lay out the problem with downloads and frame it in an ordinary context, most users can be taught how to protect themselves and their organizations. Historically, security experts have tried to get employees to take the right security measures without an understanding of why these steps help protect enterprise assets.
A security awareness program often features a catchy phrase that is memorable and graphically cute: "Make your password like a good cup of coffee, strong." These campaigns do little to help technology users understand why taking certain security measures is important or how to adjust if a similar, but technically different, problem arises. For example, an employee creates what they assume is a strong password, but then uses it for multiple accounts due to password fatigue.
The "strong coffee" slogan is catchy, but it doesn't have much impact on users because it doesn't tell them what to do. The problem: What does "strong" mean? And, what specific actions are needed to make passwords effective?
Schooled on password cracking
With a security literacy approach, security managers explain to employees what "strong" actually means and demonstrate how to make passwords stronger. To start, they provide basic background information on security issues. For example, hackers get into computer systems by guessing passwords or through brute-force attacks, which may involve cryptanalysis and exhaustive key searches. The attackers' success depends, in part, on the company's security controls and authentication software systems.
Too many times, organizations treat employees as if they can't comprehend the security threats that we try to protect them from technologically.
A strong password is longer and it has more types of characters in it. By making hackers try all the random combinations of letters, numbers and characters, you have delayed -- and sometimes deterred -- them from further login attempts. We even demonstrate the relative quickness of brute forcing a word that's found in the dictionary versus a stronger password by running a password testing utility such as L0phtCrack (now L0phtCrack 6) or John the Ripper. The visual demonstration in which it takes longer to crack the stronger password solidifies the end users' understanding of a larger key space.
In addition to just talking about "strong," we need to help the employees understand the threats associated with passwords. On their own, passwords are not a panacea for security threats. Users need to understand what protection passwords actually provide, and what they do not protect. For example, no matter how technically strong a password is, sharing a password weakens it. A password needs to be viewed as a secret that is well-guarded. A shared password is worthless.
Employees must also realize that when presented with multiple systems that need authentication, the same password should not be used because if it's compromised, the hacker has access to all the systems, not just one. Teaching technology users to have a process for handling multiple passwords is a smarter approach. It also allows them to have better control of their own liability.
Security literacy beyond character strings
We have used the concept of understanding passwords to illustrate the need for security literacy training. However, security literacy goes much, much deeper than this. Employees need to be literate in many other facets of security such as wireless, Web surfing, email and more. By creating the proper examples and putting the threats and solutions in terms the employees can internalize, we argue that users will be able to understand existing threats and adapt to the ever-changing security landscape.
Employees are an organization's most valuable resource. We take time to hire the right people, ensuring they have the best skill sets and the proper values. We train them in our way of thinking to do business, and they make decisions with the best interests of the organization in mind. So, why don't we empower our employees to help the organization become stronger in the area of IT security? By focusing on security literacy for employees, they become part of the conversation and they feel like security is part of their daily responsibilities.
A security awareness program with posters and slogans doesn't help employees internalize these messages. Those campaigns just make employees feel like security is an added burden that's dictated from the top down.
Most employees will make good decisions given enough information and understanding of security issues. We understand from a purely IT perspective that it is easier to focus on technological innovations to solve our security problems. However, no amount of technology will overcome the human factor. Security literacy is the non-technological answer to the ongoing security problem.
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to email@example.com.