Industry View| Ira Winkler on Awareness Training
Awareness training is great when people can hurt only themselves. But when people can hurt others, stronger measures are required
By Ira Winkler
June 30, 2008 —
During the recent RSA Conference in San Francisco, I was part of a panel organized by the National Cyber Security Alliance (NCSA). The subject was botnets, and the copanelists included people from the Department of Homeland Security, the FBI, McAfee and, of course, the NCSA.
As the panel went on, I became aware of an incredible irony that I was the person who was most against awareness training. After all, if you read any of my books, you will see that I state that awareness training is the most effective security expenditure.
Now I am accusing people who rely on awareness training as being negligent. I had to reassess my arguments.
A few years ago, if you told me that the Department of Homeland Security had a group of people assigned to do nothing but awareness training, I would have responded that it was a long time in coming. I would have praised them for finally putting money proactively toward trying to deal with the most common cause of security vulnerabilities: poor security awareness, ignorance, apathy, and so on.
Now I end up criticizing the DHS for being poorly proactive in their reliance on and touting of their security awareness campaign. Again, my mind was spinning to try to figure out where this disconnect was coming from.
I pretty soon realized the issue. Previously, when people exercised poor security awareness, they hurt themselves.
Now the big problem is that when they exercise poor security awareness, they hurt others. It completely changes the model, at least in my mind.
Before, when people left themselves vulnerable, they were the victim of a crime. They were the people who had their identity stolen. They were the people whose computers were trashed. They were the people who suffered in the end. Now, these "victims" are the facilitators of crimes against others. They are the enablers, the unwitting accomplices. These "victims" are the drivers of crimes.
So, essentially, I realized that awareness training is appropriate when people can hurt only themselves. However when people can hurt others, we need laws to protect ourselves from these people and to force them to secure themselves or to get off the Internet.
The root of all botnets is the poorly protected computers that are compromised. These poorly protected computers are typically poorly maintained PCs that run without basic software updates and security software enabled. If the PC user were the only victim, I couldn't care less. However, the reality is that these PCs enable distributed denial-of service attacks, which enable extortion against people and organizations that are doing everything right. They are the source of phishing attacks, which raise bank and credit card rates in the long run. They enable identity theft. They raise costs for computer bandwidth.