A common rallying cry heard around IT Security departments is the need for more security awareness training for corporate users.
This cry seems to resurface every time a new email-borne virus comes out that dupes our users into clicking on an attachment and infecting their PCs. The IT security team invariably finds itself shocked that users could be so easily fooled into clicking on that attachment.
They’re blaming users for not knowing any better.
But is it really (or only) users who are at fault? I say that there’s plenty of blame to go around. And more awareness training will not fix the problem. Oh, I think user awareness training is a good thing, but let’s be realistic about what we can reasonably expect it to accomplish.
After all, the email client didn’t seem to complain when the users clicked on the attachment, which was delivered to users’ desktops via the corporate email servers. Why didn’t the email servers stop the virus? Why didn’t the desktop anti-virus program stop the virus? Why did the email client allow the new code, in the form of an email attachment, to run just because the user clicked on it?
These are not problems that can be solved with user awareness training. The acid test, of course, is whether or not user awareness training will prevent the same sort of thing from happening again. If the result of that test is that it won’t, then what can we reasonably expect a user security awareness training program to accomplish?
Let’s first look at the problem from the user’s perspective for a moment.
It’s all too easy to look back at the virus du jour and laugh at how foolish users were for having fallen for the latest malware trick in the first place. Each user that fell for it probably thought it was perfectly reasonable to click on the email attachment. In their minds, it was the right thing to do at the time. Of course, moments later it became clear that that wasn’t the case. But at the time, it sure seemed to be.
Now, if you talk to software developers, you’re likely to hear them claim that it’s impossible to protect users from ”their own stupidity”.
From the developers’ perspective, they’re building software to meet functionality requirements that were thrust upon them — perhaps by the product marketing folks, but almost certainly by people who didn’t sufficiently think through the security ramifications of their design decisions. It’s quite easy to let security principles slip through without being caught in the design or implementation phase of, say, an email client.
Greg Hoglund and Gary McGraw talk about the trinity of trouble — extensibility, complexity, and connectivity — in their book, Exploiting Software. In much of today’s desktop software, all three of these attributes are present in abundance.
In fact, if they weren’t present, then it’s likely that we wouldn’t buy the software to begin with. The fact is that we’ve grown accustomed to clicking on email attachments to read documents and perform other useful functions.
That is to say it’s not entirely users’ fault for making these ”bad” decisions. There’s plenty of culpability to go around, and user awareness training is simply passing the buck, so that fundamental flaws in our popular software don’t get exploited quite so often — at least, in theory.
As I said above, user awareness training is a fine practice that shouldn’t be abandoned. Users are our first defense against security problems, and they should certainly be educated on how to spot security problems and who to report them to. By all means, teach your users to be wary of incoming email attachments. Teach them to keep their anti-virus software up to date, and their firewall software locked down tight.
Do not, however, be shocked when they make the ”wrong” choice.
So, you ask, if we can’t count on our users to always make the right choice, how can we possibly defend ourselves against new viruses and other nasties that come along?