More on security training

On July 18, 2012, CSO magazine published an article by Dave Aitel of Immunity in their Security and Risks newsletter, titled ‘Why you shouldn’t train employees for security awareness’. In this article, Mr. Aitel presents an argument that security training, despite being deemed by many as best practice, is flawed, and should not be considered a reliable level of defense against vulnerabilities. It is clear that his premise is that the security practices which are deployed should provide sufficient protection against vulnerabilities posed by users, and all levels of threat.

The argument for the development of security policies and practices which are not susceptible to human error is valid, but does not preclude the need for security training and awareness by users of secure resources. As could be expected, the polar views presented by Mr. Aitel have established him as a lightning rod for some very harsh criticism in the comments section following the article. In fact, those participating in commenting the article have even gone to the effort of publishing an animated parody of the article and the comments in an Xtranormal video.

There is no doubt that the security community has strong feelings about those who issue a polarized statement as fact, as is demonstrated by this article. It is our position that there is no black or white in security, merely varying shades of gray, where no single principle can be applied to all environments. In the case of Mr. Aitel’s article, to state that security awareness training is unimportant and that robust system security is the best practice, is naïve and delivers the wrong message. Each IT environment has its own specific requirements, and best practice would dictate that security awareness training should be a component of any properly developed security policy. Of course, the amount and type of training will be subjective to the specific needs of the organization.

In developing the Cicada, we considered such concerns as human error, usage compliance, security education, and technical vulnerabilities, and engineered a solution which we believe provides valuable security against physical threat while not posing an imposition on the user. We also defined a usage model where the actions to protect the system were simple, required a minimum amount of training, and were not subject to human error.

Having worked with a broad range of security technologies, it is understood that any process which is complicated, and causes impedance to the users common work habits will be circumvented or ignored. The best solutions are those which impose the least inconvenience and are not susceptible to human error. Yet, despite the apparent simplicity of this concept, developing valuable security solutions which in fact achieve this balance are relatively complex to build. We are proud to say, we believe that the Cicada provides a high level of value, with limited susceptibility to human error, on a platform which is easy to use.