I need to craft a longer answer, but I will say the results of user education programs are very dependent on the end user being taught. I have had much better luck with some groups than others. The car business. that is definitely a "teaching pigs to sing" experience. Thanks for the insights Raffi and Jody.
I think we'll be hearing more about this topic ;) Jack On Sun, Feb 14, 2010 at 9:17 PM, Raffi Jamgotchian <[email protected]> wrote: > Jack, > > I used to feel the same way that you did only a few years ago. I think it > was particularly because our security program from the larger corporation I > came from was ineffective. The problem with giving up on the end-user is > that you end up with spending too much time and money on tools. I know those > things are not necessarily items that are exclusive of each other but hear > me out. > > When I was asked to be CTO of a small investment firm startup (after I left > larger investment firm noted above), I agreed to every security startup that > I met that I would put their product into my environment at no or low cost > in return for feedback to them and them allowing to use our company name in > their marketing. Besides finding myself becoming somewhat of a tech whore > (sorry if that offends), I found that I was spending too much time > overcomplicating the environment which led to other issues. Both of those > left a bad taste in my mouth so I made a conscious switch. > > Since then, I've moved into a consulting role with the same firm as well as > a few other small investment and non-investment firms. I've found that by > spending one on one time about the consequences in addition to pragmatic > controls is the best defense we have today. Small business typically don't > have the resources to spend oodles of money on tools and people so they have > to do, as Mick said at ShmooCon, "secure enough." > > The church I go to has a prototypical very conservative Armenian priest. > His sermons are super long and are said in two languages (Armenian and > English). When he wants to teach or preach to a point, he says the same > thing three different ways, and then again in both languages. Now someone > that understands both languages got the same lesson 6 times. Guess what, it > eventually sinks in. Although we like to treat employees like adults, and > we expect them to behave that way, the truth is, that most adults (like > Kindergarteners) need repetition in different ways to properly learn. As > security practitioners (and I'll speak to the small business market since > that's what I focus on now a days) we need to be equal parts technologists > to minimize the breakage when things happen but also teach the business > consequences of the actions people make. If you work the consequences into > the conversations in different ways repetitiously, it does eventually sink > in, but it doesn't happen overnight. > > Thanks for sending those links over. I'm always interested in seeing what > others feel about this since my position is an evolving one. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jack Daniel > Sent: Sunday, February 14, 2010 2:17 PM > To: PaulDotCom Security Weekly Mailing List > Subject: [Pauldotcom] End user education > > You've probably all seen Larry's fudsec post at > http://fudsec.com/casual-hex-and-the-failure-of-security-awaren (You > haven't? Go now, and make sure you read the comments). I think it is a good > starting point for a conversation we need to have in InfoSec. > > I have largely lined up with the dinosaurs like Ranum in my skepticism of > the value of user education, but have tried anyway. I almost always come > back to Robert Heinlein's quote: "Never try to teach a pig to sing; it > wastes your time and it annoys the pig." We do get some successes, but at > what cost? > > A more informed look at the education we give end users, and the reasons > that they should reject the advice, is found in a paper Cormac Herley > delivered last year. I read it when it came out, and keep going back to it. > It isn't very long, but it isn't really a light read, either. PDF is at > http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf > > You may notice that this is focused on the home user, not the corporate end > user- that is on purpose, there just isn't enough data to extrapolate > conclusions with the level of detail he wanted. Cormac has observed that > end users in business are rejecting the advice anyway. I do think the > numbers have to shift significantly when we factor in the costs of breaches > to organizations and the fact that many fraud protections offered to > individuals do not apply to businesses. My gut feeling is that rejecting a > lot of "security advice" still makes economic sense, at least from the > corporate end-user perspective, but the margins are slimmer. > > There is also the issue of the true cost of breaches; if I have a fraudulent > charge on a card I am not out any money *directly*, but we're all paying > double-digit interest rates on credit cards when the prime is below a > percent, partly to cover fraud expenses- and the price of goods includes an > added margin to cover "shrinkage" (theft, loss, fraud, etc.). We are all > paying for the fraud, but the true costs are so obfuscated that we don't > know what the real numbers are. > > I'm not sure where we go from here, but I do believe we need to be able to > honestly answer the question "is it worth it" before we hand out security > advice and education, especially the same stuff we've been saying for years. > > I think it makes sense to use this information to justify some lockdown of > corporate assets; if the users can't be relied on to protect the assets (and > arguably shouldn't have to), then we need to secure them before letting > people loose to do their jobs. > > I have exchanged a few emails with Cormac, he has received a pretty good > response to the paper and he is certainly a sharp guy. Hey, there's a guest > idea for the podcast... > (Paul's idol, Steve Gibson, even covered this paper, but of course, didn't > speak to Cormac about it). > > Jack > > > -- > ______________________________________ > Jack Daniel, Reluctant CISSP > http://twitter.com/jack_daniel > http://www.linkedin.com/in/jackadaniel > http://blog.uncommonsensesecurity.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
