The following is a guest post from our longtime friend and colleage Stephen Cobb, Senior Security Researcher for ESET.

There is one statement that I’ve heard from information security professionals that annoys me no end: “We tried security awareness and it didn’t work.” When I hear that I want to say: “Really? How hard did you try? And for how long?” Because security awareness is not something you “try,” it’s something you do, all the time, like basic hygiene and disease prevention, with booster shots on a regular basis.

Imagine going into the employee bathroom at a supermarket or restaurant and realizing there is no sign reminding employees to wash their hands before returning to work. You go to the manager and ask why there are no signs. He says: “We tried that and it didn’t work.” You inquire as to what “didn’t work” means in this context, and he says: “We found some employees weren’t washing their hands, even though there was a sign.”

At which point you’re probably asking yourself how the guy got to be a manager. I find myself asking if something similar is happening at organizations where security awareness has been abandoned because “it didn’t work.” And I’m wondering who’s to blame. Could it be that security professionals like me, who enthusiastically advocate security awareness programs, are somehow creating unrealistic expectations? I’m prepared to entertain that possibility.

Every year I attend a variety of conferences and workshops where people who are working to protect the security of information systems discuss the challenges they face, from the seemingly never-ending stream of bad actors entering the fray, to the relentless waves of new security products promising solutions, to the increasingly specific regulations being imposed upon a growing number of companies. And in those discussions I discern a very human trait, a strong desire to find “the answer,” a desire so strong that it may distort perception.

Let me give you an example slightly outside of security awareness: scanning for malware. There’s been a lot of talk this year about the failure of scanning to catch every piece of malware being fielded by the bad guys, leading to some high profile system compromises. At times, the tone of that talk seems to imply that vendors of antivirus programs had been claiming their products provided complete system protection. Yet I don’t see any evidence of that, just as I see no evidence that advocates of security awareness programs are claiming they deliver all the system protection you need. So it’s possible that disappointment at the failure of any one solution to be the 100% solution, comes as much from people hearing what they want to hear as it does from over-selling on the part of those who specialize in a particular solution.

The fact is, we are three decades into the information system revolution sparked by the personal computer and nobody has found a way to maintain system security without human cooperation. That human cooperation comes from awareness and training efforts that are constant, not abandoned because some people failed the phishing test or forgot to log off at the end of the day.

Maybe, if our schools had started teaching basic security principles several decades ago, more people today would be familiar with the concept of defense in depth. Because that is where both malware scanning and security awareness fit, within a multi-layered approach to defending systems. You don’t stop scanning for malware because it doesn’t catch everything (your systems would soon be clogged with hearty perennials like the Conficker worm). And you don’t stop reminding people of the basics, like not sharing passwords, not letting unbadged persons enter badged areas, and not inserting a USB drive into a production system without scanning it for malware. Some security controls can be automated with technology, for example, you can force the scanning of digital media upon insertion, but it is my belief that the human factor will always be there. So if you’ve tried awareness and not been impressed by the results, please reconsider and try again, maybe with more realistic goals and more engaging strategies. Failure to communicate to employee their responsibilities in the fight to defend our systems is not an option.

Stephen Cobb

Senior Security Research at ESET North America
Stephen Cobb has been researching computer security and data privacy for 25 years, advising companies, consumers, and government agencies on the protection of sensitive data and systems. Cobb has been a CISSP since 1996 and currently leads a San Diego-based research team for security software maker ESET. He is also working on an MSc. in Criminology at the University of Leicester in England.

Latest posts by Stephen Cobb (see all)