• United States




Awareness training has failed us

Jan 02, 20185 mins
Application SecurityData and Information SecurityIT Skills

And if awareness isn’t enough, is it time to look at our problems in a new way?

danger unaware ts
Credit: Thinkstock

I went bowling the other day. There are still bowling alleys around. I’ve not been bowling in a very long time. It’s one of those things that seems to have fallen off in popularity at some point. I’m told it’s coming back and becoming more popular. We’ll see I suppose, I think it’s still fun.

The point of this post isn’t to dwell on bowling though, it’s to focus on human behavior. Being a security person, I managed to see a security story in the events of my bowling … game? match? I have no idea what it’s called.

I was bowling because one of my kids were part of a group that planned a family bowling event. Most of the kids had bumper rails put up on the alley they were using. The idea of the bumper rails is to keep the ball out of the gutter. They are literally rails on the side of the lane you throw the ball down.

Being a stodgy old person, I insisted we bowl the first game without any rails up. This caused a great deal of wailing and gnashing of teeth from the youngsters. They did manage to make it through the game with only minimal long term emotional damage I think.

They did really well actually. They didn’t need the bumper rails, they could bowl just fine. However as soon as the first game was done they made sure the bumper rails got put up by the nice people who run the bowling alley. They apparently had enough danger for one day.

Here’s where we get into the behavior part. I don’t think it would surprise anyone to learn with the bumper rails installed the kids screwed around. A lot. They hit the rails constantly with their balls, sometimes on purpose. These were not the same people who had bowled the previous game.

This got me wondering. Why did the behavior change so drastically? I have a suspicion a lot of it was caused by the fact that these people knew with the rails installed they didn’t have to care as much, so they didn’t.

This change in behavior isn’t surprising if you think about it. If people know they’re safe they can afford to goof off more than if they’re not safe. The definition of safe is relative of course. Being “safe” during a game of bowling is nothing like being safe in the middle of a riot.

I want to extend this to awareness training. It’s no secret I’m not a fan of awareness training. I’ve never seen a single statistic that shows it works (and I’ve looked quite a lot). There are a number of things we do in security not because it works but because cargo cult mentality tells us we need to do it.

Since awareness training doesn’t work, what might work is something I’m going to call understanding training. What if rather than obsessing about the impossible task of teaching someone which links are safe to click on. What if we try to make them understand the landscape they exist in. Where are their rails?

Keeping with bowling, here is how I explain it.

Awareness training is telling someone they need to throw the ball down the middle of the lane and knock over the pins. Knock over as many pins as you can. Make sure the ball doesn’t go in the gutter. Not every bowling lane has bumper rails, so let’s just not worry about explaining those.

Understanding is when you know how the mechanics of the ball, pins, and lane work. You understand that if rails are up, the threat of a gutter ball goes away. You know you can bounce the ball off the rails if you need to. You will probably have a higher score; not because you’re a better bowler but because you can use technology to improve your score.

Awareness training puts a lot of focus on specific situations and expected outcomes. Awareness training puts the responsibility on the human to do the right thing. Humans never consistently do the right thing. We’ve all taken training like this, it’s generally not enjoyed and given current state of security, it doesn’t work very well.

Understanding shifts the focus from the human to the technology. Technology is generally consistent. But understanding is very context dependant which makes it tricky. Your ability to react to certain situations is unique to you and your organization. It’s not going to be possible to find an off the shelf training module in an instance like this. Sometimes it’s all about technology, sometimes it’s just knowing where the technology falls short.

I don’t have data today, so take all this with a grain of salt. I do hope to put some effort into proving this right or wrong, without data you don’t really know if something is a good idea or a bad idea. I have a suspicion any organization would benefit from better understanding no matter what the topic is. Awareness isn’t enough, we need to look at our problems in a new way.


Josh Bressers is the head of Product Security at Elastic. Josh has been involved in the security of products and projects, especially open source, for a very long time. Josh has helped build and manage security groups for many open source projects as well as a number of organizations. Everything from managing vulnerabilities, security development lifecycle, DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella.

Josh co-hosts the Open Source Security Podcast. Josh is also an active member of the Distributed Weaknesses and Filing project which is in the process of leveraging the power of open source for CVEs.

The opinions expressed in this blog are those of Josh Bressers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.