adric: books icon (c) 2004 adric.net (Default)
[personal profile] adric
Bruce Schneier's 19 March 2013 blog on DarkReading "On Security Awareness Training: The focus on training obscures the failures of security design" is making headlines with his bold assertion that "training users in security is generally a waste of time and that the money can be spent better elsewhere". The piece argues by examples from other fields of health and safety education that complex decision making can't be easily taught to a large population in an effective way and that if security awareness training as enacted in the past 20 years was effective we would see commensurate change in the behaviour of the population. Schneier’s standing as a cryptographer and esteemed author gives tremendous weight to this controversial argument.
 
Although Schneier's editorial is more persuasively written and less overtly provocative he is essentially arguing a similar point as Immunity's Dave Aitel did in his 18 July 2012 editorial on CISO Magazine "Why you shouldn't train employees for security awareness: Dave Aitel argues that money spent on awareness training is money wasted". Aitel’s recommendation is to eliminate awareness training and instead fund secure development and software testing to harden systems so that user behaviour isn’t so dangerous to the organization: “It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization”.
 
Aitel's piece provoked  much discussion and many online rebuttals1 and Schneier's post has already generated some well-reasoned responses. Benjamin Mauch commented to link to his spirited rebuttal "Security Awareness Education". He is quite passionate about security awareness and has given talks on security education including one recently at Derby Con. Mauch argues that the mechanisms of training in common use, such as computer based training and quizzes, perform poorly but that engagement and education of users to develop a User Defense "layer" is effective and vital to defense.
 
Mauch's colleague Dave Kennedy, Founder and Principal Security Consultant at TrustedSec, posted his own response to Schneier's post titled "The Debate on Security Education and Awareness". Kennedy outlines his concerns with the general ideas in Schneier's post and then examines a handful of the arguments quote by quote from the DarkReading post. He on expands a few of the metaphors (eg driver education) and shows how a broader interpretation of them supports a different view.
 
1 Rebuttals to Aitel include:
http://www.infosecisland.com/blogview/21981-Throwing-the-Baby-Out-with-the-Bath-Water.html
http://www.iamit.org/blog/2012/07/security-awareness-and-security-context-aitel-and-krypt3ia-are-both-wrong/
From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

March 2014

S M T W T F S
      1
2345678
9 101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 24 October 2017 04:08 am
Powered by Dreamwidth Studios