Paying Lip Service (Mostly) to User Education

Wednesday, October 24, 2012

Fergal Glynn

68b48711426f3b082ab24e5746a66b36

Article by Paul Roberts

How well do consumer cyber security awareness efforts work? That’s a good question, and one somebody might consider answering!

The connection between improved security and user education is so well-established as to be almost axiomatic. Better technology, coding practices and testing can only accomplish so much. If customers or employees don’t know that, say, clicking on a curious link on their Facebook wall or opening the iloveyou.exe e-mail attachment could compromise their security, how do we gain ground against cyber crime, cyber espionage, spam and other online ills?

In just the latest example, the security firm FireEye found that cyber criminals were finding more success in bypassing security gear by relying on links to drive-by-download attacks on malicious web sites set up using one-off web domains. The great propensity of users to click on malicious links allowed the new strategy to succeed, spurring even more use of it, FireEye noted. (http://www2.fireeye.com/advanced-threat-report-1h2012.html)
 

So what’s being done about the dearth of solid user education?

In short: everything and nothing.

Within enterprises, investment in end user education varies, and there’s no hard data on how effective are the programs that exist. A recent survey of 950 IT professionals by the technology trade publication InformationWeek found that end user security awareness training was rated the second most valuable security practice, just behind identity and password management. Unfortunately, the same survey found that only 22% of respondents rated end user awareness programs “very effective” at protecting their organization from internal or external threats. In contrast, fully 66% of respondents to the same survey rated firewalls “very effective,” InformationWeek found. (http://reports.informationweek.com/abstract/21/8815/security/research-2012-strategic-security-survey.html)

In the consumer space, the U.S. government has consistently opted for public-private partnerships to get the word out about the growing danger of preventable ills like malware infections, hacking, identity theft and the like. The results of this “let a hundred flowers blossom” approach are predictable: almost every consumer-facing technology company and service provider has offered up their own prescriptions for safe online browsing, shopping, dating and social networking. But, without any organization to help shape and coordinate those efforts or disseminate the information that they produce, the efforts have little force once the ink on the press release has dried.

One solution might be for the Federal Government to be more engaged in what is, after all, a public information campaign. NIST and DHS might craft a comprehensive education program, and then partner with private sector partners to get it out to millions of U.S. consumers. Periodic audits and assessments could test the effectiveness of the program against objective measures of security awareness. Then, over time, elements of the program that don’t work could be reformed or replaced with those that do. “You can’t manage what you don’t measure,” as the old saying goes.

But a recent GAO (Government Accountability Office) report makes clear that the federal government, like too many private sector firms, takes the existence of security awareness programs as prima facie evidence that they work.

Surveying the National Institute of Standards and Technology’s (NIST’s) National Initiative for Cybersecurity Education (NICE), the federal government’s main cybersecurity education effort, GAO-12-757 (http://www.gao.gov/products/GAO-12-757) concludes that there’s been scant attention paid to whether the program actually works. Neither NIST nor DHS have applied what GAO calls “outcome-oriented performance measures” that might indicate whether and how their many education programs – National Cyber Security Awareness Month, “Stop. Think. Connect,” and similar grants and programs are working.

NIST officials, speaking with GAO, acknowledged that they do not measure progress related to awareness activities. DHS, which is charged with delivering the security awareness components of NICE told the government’s watchdog agency that they do attempt to measure the programs’ effectiveness, just not using “objective oriented” measures. Instead, they rely on more subjective measures such as how many individuals sign up to receive information about the various campaigns, how many events are held in association with each and how many visits there are to program Web pages.

Like the parallel debate in the public education space, it’s long past the time to stop relying on what amounts to anecdotal evidence of progress towards what we all recognize as a critical goal: cyber security awareness. There’s ample evidence that government and industry can partner productively on public information campaigns when the stakes are high — think SARS or H1-N1 influenza. Why not a similar, outcome-based effort around online threats like Web-based drive by download attacks? Industry and – especially – government must do more than just pay lip service to the importance of educating consumers and employees about cyber risks.

Cross-posted from Veracode

Possibly Related Articles:
13466
Network Access Control
Security Awareness Cyber Security Education End Users
Post Rating I Like this!
565b861029c11c98f54b1699d474f589
Kathleen Jungck In light of the BYOD growth, this issue continues to be extremely relevant. It's time to move on from "Security Awareness" and start addressing a basic foundational level of "Security Hygiene". Employers could then add industry (and company) specific issues on top of that foundation.
1351890064
Default-avatar
Sherrley Max This is a good educational service. when somebody want online education then go on http://www.essayyard.co.uk
1419068950
Default-avatar
addie baldric I agreed, Almost each consumer-facing technology firm and service provider has offered up their own directions for safe online browsing, shopping, dating and social networking. But, without any association to help shape and coordinate those efforts or disseminate the knowledge that they produce.my web page: http://www.ordercollegepapers.com/buy-personal-statement
1420279637
Default-avatar
Mike Erik I agreed with this post nice and relevant post.
Do My Assignment Help
1422271139
Default-avatar
Electra Melina Studies like this just so they can have something to post on Twitter...to give lip service on social media about the importance of using modern communication channels.http://www.dissertationpoint.co.uk/
1422593363
Default-avatar
John Lewis I have this assignment from http://www.essaymon.com, can you help me with it?

The aim of this assignment is to develop your planning and analytical skills in the context of a complex project orientated environment.


Brief
You are required to develop a defendable project schedule for a project of your choice, which will facilitate successful execution of the project. The project may be one of you are, or have, been involved with, or may be taken from a case study of your choice. The submission must include a project schedule of at least 100 activities and clearly identify the logic of activity sequencing and relationships between the activities. All dependencies, constraints and resources are to be included.

1423431728
Default-avatar
Monica Farcas Awesome content, beneficial give good results; now I am aware that which you guys have been doing.
http://www.helpinessays.com/

1423467718
Default-avatar
Take My Class 4 Me The relationship connecting enhanced security and user education is so well-established as to be approximately self-evident. Improved technology, coding practice and difficult can only achieve so much. For more detail visit here my site. http://www.takemyclass4me.com/
1424348309
Default-avatar
carson Perry I have been interested in this topic for quite some time. I have been researching it for a couple of hours and found your post to be very interesting. Cheers! http://www.click2assignment.co.uk/buy-assignment.php
1425642171
Default-avatar
Braden bond The relation between upgraded insurance and user education is so good and entrenched as to be around absoluted. http://www.mycollegeessay.com/pay-to-write-a-paper-for-me
1425972314
Default-avatar
Raushan Kumar Several assistance individuals will irritate due to their perform stress which will hurt business owners of items.
Packers and Movers in Mumbai or http://www.expert5th.in/packers-and-movers-mumbai/
Packers and Movers in Hyderabad or http://www.expert5th.in/packers-and-movers-hyderabad/
Packers and Movers in Pune or http://packersmoverspune.top3rd.in/
1425986150
Default-avatar
Raushan Kumar Client complimentary is also critical facet to shift all our aspects from one place to another.

Packers and Movers in Bangalore or http://www.expert5th.in/packers-and-movers-bangalore/
Packers and Movers in Delhi or http://www.expert5th.in/packers-and-movers-delhi/
Packers and Movers in Chennai @ http://www.expert5th.in/packers-and-movers-chennai/
Packers and Movers in Gurgaon or http://www.expert5th.in/packers-and-movers-gurgaon/
Packers and Movers Noida @ http://www.expert5th.in/packers-and-movers-noida/
1425986176
Default-avatar
clasical micla We stand behind our products quality and ensure that people can use them without any worries. We even take up the concern of our customers directly to the watch manufacturers if we get any and make sure that watches of concerned people are fixed as quickly as possible.
http://7star.pk/
http://7star.pk/90-pre-owned-used-watches-for-sale-in-pakistan
http://7star.pk/33_citizen-watches
1426318545
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.