Home > Uncategorized > Innoculation in Security Training and Awareness

Innoculation in Security Training and Awareness

I spend a fairly large percentage of my time involved in information security training and awareness activity of one type or another. Sometimes I develop courses (e.g., I developed two new course last calendar year), sometimes I critique courses that others have developed, but most often I teach courses. And if you have read some of my previous blog entries, you’ll know I am a strong believer in security training and awareness because it generally yields a very favorable cost-to-benefit ratio. It also promises to change both attitudes and behaviors of users and managers of computing systems, regardless of whether the targets of training are everyday users, system and network administrators, software developers, quality assurance experts, or managers.
We all also know too well that not all information security training goes according to plan. Despite the best of intentions, there are times when what the instructor says goes in one ear and right out the other. In response to this potential problem, hands-on training started to be offered considerably more, beginning in the late 1990s. I have found that hands-on training is generally good in helping attendees learn what actually must be done to achieve some kind of goal, such as installing and update anti-spyware. Yet at the same time, some attendees become proficient in performing actions on a computer without truly understanding the why’s and wherefore’s of what they are doing, and they also too often fail to generalize the knowledge and skills that they amass. A good example is a story that a colleague of mine told me earlier this year. Users were in a security training and awareness course in which they were taught to avoid phishing attacks by avoiding actions such as opening email attachments that they were not expecting. Almost all the users caught on. They left the training session. The training staff had obtained the cell phone numbers of the attendees. They sent files and messages containing attachments to attendees over their cell phones. In contrast to their in-the-classroom behavior, attendees now forgot about their training and freely opened files and attachments on their cell phones. They had not generalized the principles they had learned in the training session.
Another approach to security training and awareness is relatively new and is also controversial. Called “inoculation,” attendees in training sessions interact with computers that run simulation software. When users engage in dangerous actions such as opening an attachment that they had not expected, the software displays dramatic effects such as a bright, flashing screen and obnoxious noises. Others in the training room can see and hear what is happening at the negligent user’s computer. The effect is dramatic—once someone has been through one of two of these dramatic episodes, that person’s behavior typically takes a turn for the better.
The inoculation approach is not without its critics. Those who are antagonistic towards this approach argue that embarrassing and scaring users in the name of security is unethical, or at least boarders on being unethical. They say that informed consent by all participants is necessary, just as participants in a university psychology experiment must first give their consent if they are to participate. Others think that inoculation is unwise because it helps people develop negative attitudes towards information security, which is already too often known as the “department of no” and the “business prevention department.” According to this argument, scaring and embarrassing people in the name of security is bound to do anything but help people develop a more positive attitude towards it.
No other security training and awareness method “drives the point home” better than inoculation. This method promises to make lasting changes in behaviors and attitudes of users. Yet at the same time there are some serious downsides to this approach. I leave the verdict up to you—once again, we as information security professionals must carefully assess and weight the positives against the negatives if we are to come up with good solutions and answers to the problems that we face.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.