The Arrogance of User Awareness Training…
Updated: May 23, 2020
I saw a post on LinkedIn this week from a certain Kyle F Kennedy. Kyle’s profile states he’s a “social cybersecurity expert.” I kind of like that, considering I’m always raving about root causes of issues never being technical.
Anyway, what got me about his post is that he said that phishing “fed into people’s desire to be validated as human beings.”
I’d never thought about that, and I found it very true and interesting.
What I have thought of, and noticed, is that people tend to respond far better and collaborate with you if you take the time to talk with them. I repeat, talk with them, not at them.
When I see discussions about user awareness, I see talk of how to scare users into following the rules, how to discipline them, and generally complaining about how they don’t comply with the rules InfoSec departments try to push on them. At best they give up on the users and try to come up with technical solutions to save “those idiots” from themselves.
If you had someone tell you to do a bunch of things, some of which hindered your work, without you really understanding why, and that person didn’t even take 2 minutes to talk to you, didn’t personally explain it to you, didn’t make any effort to understand what you do, didn’t try to see how these rules might affect you… would you feel like helping them out?
It’s actually incredibly arrogant, and it’ll probably annoy them. They are more likely to acquiesce a phishing email than you, because as Kyle said, it actually gives them more validation than you’re giving them.
So “User Awareness Training”, as it’s currently defined, is rather ineffective. It can have value if it is well crafted (and I must say Kaspersky’s upcoming platform looks especially clever as it takes into account some human psychology) but we really need to ramp up our involvement, understanding, and engagement.
It cannot reach anywhere near its maximum potential if there is no interpersonal bond between information security resources and the end user taking the course.
When there is, I find retention is probably three times as high.
When I talk of root causes of issues that can be addressed upstream, before they branch into more issues than you could possibly manage no matter how much money and tech you throw at them, the lack of human collaboration is one of the big ones.
That collaborative spirit is one of the strongest assets in your arsenal to deliver real assurance and lower your infosec cost and effort. And one few InfoSec departments even consider.
It’s also absolutely essential. Without it your assurance will break down and you will eventually be breached. Period.
There’s something else: You might just find that you learn quite a bit from them. Most managers and executives make decisions based on data, and that data is often very misleading. Getting it straight from the operational layer, before it’s been distilled or warped, can be very enlightening, and give you a huge edge.
As always, feel free to reach out. I’m available for consulting engagements and always happy to have a chat.