I was once called into a multinational oil company which wanted advice on a situation. One of their employees called them, because a coworker was displaying unusual behaviors. An investigation was performed, and it was learned that the coworker was giving information to a Chinese intelligence operative. At another company, an employee stopped a person from tailgating them into a facility and it turns out the tailgater was responsible for stealing more than a dozen laptops from company facilities.
While performing a penetration test at one company, the security manager told me I should take a long lunch at a very specific restaurant, and just listen to conversations. I learned of the company's marketing plans for a top product. Going to lunch at dozens of restaurants near the National Security Agency, an organization with extensive security awareness efforts, I can hear nothing of any significance.
During a firewall penetration test, a strictly technical penetration test, I received a call from a bank vice president telling me to stop my social engineering BS. I asked what the person was talking about, and was told that their people received a call asking details about the firewall, and replied that they needed the persons contact information and would get back to them, as their awareness training described, and the manager assumed that it must be part of my penetration test, which it wasn't.
It was a real attack, and they responded appropriately.
I can go on, and give dozens of examples of security awareness success stories, but everyone knows of such success stories. Frankly, everyone reading this article can likely point to countless personal stories of how their behavior saved them from being a victim of some attack.
First, let's stop and consider what security is. Dave Aitel's recent column "Why you shouldn't train employees for security awareness" gives the impression that every security measure should be 100 percent effective. Aitel even reinforces that concept in a response to one of the many comments criticizing the article.
In Aitel's own his comment, he notes: "The only thing you really know about awareness training is that no matter how much you spend on it, one time out of ten it completely fails. The one person you want to be aware is, of course, your CSO, so he can institute security measures that make awareness a non-issue."
But every security measure, technical or otherwise, has and will fail again at some point in time. If you don't realize that, you really suck as a security professional. The definition of "security" is literally "freedom from risk." You will never be free from risk in the real world. What "security" professionals are actually performing is "risk management."
Security professionals are supposed to design and implement security programs that cost effectively mitigate risk. Period. Not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner.
The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses. But Aitel uses a 2004 example as proof of his opinion, where after a four-hour training session - of which nobody is sure of the quality of that training - there was still a 90 percent success rate for phishing attacks.
That literally proves nothing.
Clearly awareness techniques have improved, but even so, the question posed should be: "Is what the cost savings was for the 10 percent reduction in successful attacks compared to the cost of the training program?" And this is just the tip of the weaknesses of his using this example.
The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?
Then there is the fundamental concept that the I in IT stands for INFORMATION, not computers. The acronym CISO stands for Chief INFORMATION Security Officer, not Chief Network Security Officer. Aitel's article and recommended countermeasures, in lieu of awareness training, fail to recognize that information exists off of a computer network. Using the previous mentioned quote there is no technology that will prevent the human mishandling of paper information and computer media. Yes, media can be encrypted, but the cost of trying to find loss media, even if it is eventually found, can be enormous, drain resources and result in a public embarrassment. The return on investment for a security awareness program of this form can be huge, even if it prevents a single incident.
But the biggest issue is perhaps that security awareness efforts are frequently not optional. Any good security practitioner realizes that their clients have to adhere to a variety of compliance standards, with a variety of interpretations. Awareness programs are required or implied by standards including PCI and HIPAA. Telling people not to do something, because the pontificator believes it is a bad idea is just not an option, even if the guidance is reasonable.
So just to summarize, the fundamental issues of security include but are not limited to no security measure is perfect, awareness mitigates non-technical issues that technology can't, that CISOs and other security managers are responsible for protecting information in all forms, and that in many cases awareness programs are not optional. The fact of the matter is that no security measure should be measured by the standard of perfection. The real standard is return on investment. By that standard, you will find that security awareness is one of the most reliable security measures available.