“The definition of insanity is doing the same thing over and over again and expecting different results.” – Einstein (Well, not really!)
Every day we hear another reason why user awareness (or better-named security awareness) is critical. We hear an announcement of another breach or social engineering attack. And then we get asked why security awareness training has failed us. But what if we are focused on doing the wrong thing to solve this problem? Albert Einstein is often credited with saying, “The definition of insanity is doing the same thing over and over again and expecting different results.” While it doesn’t matter if he said it, the quote is relevant to this problem.
Security awareness training has become a large part of what most people see as infosec. For years organizations have had to provide a regular security awareness training program. This requirement comes from several sources: PCI DSS, NIST, GLBA, ISO 27002, FISMA regulations, and client or partner contracts are just a few examples. This requirement has actually caused one of my favorite ironies. Organizations will send out an email with a link to the training that attempts to teach staff not to click links. According to some figures, organizations spend over a billion dollars a year on this training. Yet every day, another breach is discussed. We hear about another person who fell for that email or gave out their credentials to a caller.
So why is this training not working? What can we do to fix it? I believe that one of the main reasons we aren’t making progress is that we are attacking the wrong issue. Security awareness training attempts to explain to users how they might avoid insecure behaviors. It focuses on how they do things wrong and creates an us vs. them mentality. And organizations have already set people up for failure. How? That is easy. Look at your inbox at work, what do you see? Lots of emails that require using links as part of a workflow. Our systems are based on working through emails and links. Our workflows and procedures depend on that link in an email to move to the next step.
The solution is pretty simple but complex to deploy. The fix is to change how our systems work—moving away from emails with links to communication paths within the application. For example, instead of a link to approve a money transfer, send a message directing the user to return to the banking application. Once there, the user can see a notification where the approval function exists.
We also need to focus on developer training and advisory systems. Exploring the user experience (UX) and explaining the why behind these controls is critical. By working with development teams and project owners, these modifications to new applications and updates to existing ones are more easily accomplished with this collaboration. By modifying the experience, we will make it harder for attackers to leverage our processes against us.
I look forward to hearing your thoughts on this idea. Feel free to join our Professionally Evil slack workspace or visit our website to find more information on our efforts to train and advise developers and DevOps teams.