I often get in arguments with computer security experts who declare such-and-such computer defense is worthless because it isn't perfect. No topic exemplifies these types of debates better than the value of user education.
On one side, you have people who believe that user education is a crucial part of any computer security defense. The other side thinks it's a complete waste of time.
Arguments against security education
The naysayers assert that user education hasn't worked in the past and will be very unlikely to work in the future. They have decades of experience and history to back up their argument.
This is despite -- or perhaps because of -- the fact that user education has been a part of cyber security defense forever. We've been telling people not to click on unexpected file attachments, not to give away their passwords in response to strange requests, and not to install strange software for as long as computers have been personal.
Many computer security experts reach the conclusion that users simply can't be educated well enough to make the right decisions. Others feel that even if you train 99 percent of users perfectly, the remaining 1 percent will bring down the network every time.
This last claim seems incredibly true. I first realized in the 1990s that the same people clicked on obviously malicious email attachments (such as the Iloveyou worm, Melissa virus, and so on) again and again. One person would click on the script or executable, and the entire email server would fall over in seconds. Those people never seemed to learn.
Others blame the technology rather than the users themselves. Can you fault people for doing the wrong thing when the instructions change all the time due to new technologies and new threats, particularly when our current security messages warn about everything all the time, even when it's not malicious? How many times did you have to approve running a file you meant to run? We are training users to click Yes to everything in order to perform legitimate work.
Plus, is anyone perfect? I admit that, sometimes, when a system asks for my credentials, I’m not always clear about which system is asking. Why am I being prompted? I’m willing to swear I’ve never given my credentials to a fake system -- but even I can't be 100 percent sure. Some of them could have been perfectly timed, well-crafted phishing attempts.
Because everyone is fallible, user education opponents believe we should focus on stopping badness whether or not the user makes the right decision. Simply concentrate on developing better technology and do away with the security prompt.
It’s hard to not love that solution. But is it realistic?
The case for ongoing user training
Security isn't binary -- or never will be until perfect defenses arrive, if they ever do. Everyone’s security level is on a continuum between no security and complete security.
Well-crafted user education significantly decreases some number of users from incorrectly responding to badness -- without question you've moved the needle on computer risk to a better place. Yes, it may not ultimately stop a dedicated attacker. But what defense does?
I think the biggest problem is the sad state of most existing user education programs. The average user in the corporate world is lucky to get 15 to 30 minutes of crummy user training once a year. Watch this video; check this box after viewing. Have a good day.
Moreover, the training tends to focus on threats from 10 years ago -- and lacks material about today's most popular hacks. Frankly, most internal user education programs are horribly inadequate. If you can’t marshal the resources internally, consider going to a commercial training firm that specializes in user security education.
If social engineering is the No. 1 or No. 2 way most companies fall victim to professional hackers, is 15 to 30 minutes of subpar, generic education enough? Will a few easy questions suffice to test a user's understanding and comprehension?
Another reason I believe in user education is that some of our problems can be solved only through better training. Training people not to use the same logon credentials across professional and personal sites or apps can be accomplished solely through education. Some defenders respond that two-factor authentication (2FA) will solve this problem. Sure it will -- when every site requires 2FA.
Telling your users what a fake tech support scam looks like can only help your company's security. Convincing users that they should delete any email with an attachment that wants to execute, even if it’s from the CEO, is a good move. Training users to pipe up immediately when they think they’ve been compromised is vital (most people don't, due to fear of retribution). I can think of dozens of scenarios in which an educated user is either the best or the solitary defense that will work.
User education will not prevent every attack. But it will prevent some while we’re waiting for those perfect defenses to arrive.