Paying Lip Service (Mostly) to User Education

Wednesday, October 24, 2012

Fergal Glynn


Article by Paul Roberts

How well do consumer cyber security awareness efforts work? That’s a good question, and one somebody might consider answering!

The connection between improved security and user education is so well-established as to be almost axiomatic. Better technology, coding practices and testing can only accomplish so much. If customers or employees don’t know that, say, clicking on a curious link on their Facebook wall or opening the iloveyou.exe e-mail attachment could compromise their security, how do we gain ground against cyber crime, cyber espionage, spam and other online ills?

In just the latest example, the security firm FireEye found that cyber criminals were finding more success in bypassing security gear by relying on links to drive-by-download attacks on malicious web sites set up using one-off web domains. The great propensity of users to click on malicious links allowed the new strategy to succeed, spurring even more use of it, FireEye noted. (

So what’s being done about the dearth of solid user education?

In short: everything and nothing.

Within enterprises, investment in end user education varies, and there’s no hard data on how effective are the programs that exist. A recent survey of 950 IT professionals by the technology trade publication InformationWeek found that end user security awareness training was rated the second most valuable security practice, just behind identity and password management. Unfortunately, the same survey found that only 22% of respondents rated end user awareness programs “very effective” at protecting their organization from internal or external threats. In contrast, fully 66% of respondents to the same survey rated firewalls “very effective,” InformationWeek found. (

In the consumer space, the U.S. government has consistently opted for public-private partnerships to get the word out about the growing danger of preventable ills like malware infections, hacking, identity theft and the like. The results of this “let a hundred flowers blossom” approach are predictable: almost every consumer-facing technology company and service provider has offered up their own prescriptions for safe online browsing, shopping, dating and social networking. But, without any organization to help shape and coordinate those efforts or disseminate the information that they produce, the efforts have little force once the ink on the press release has dried.

One solution might be for the Federal Government to be more engaged in what is, after all, a public information campaign. NIST and DHS might craft a comprehensive education program, and then partner with private sector partners to get it out to millions of U.S. consumers. Periodic audits and assessments could test the effectiveness of the program against objective measures of security awareness. Then, over time, elements of the program that don’t work could be reformed or replaced with those that do. “You can’t manage what you don’t measure,” as the old saying goes.

But a recent GAO (Government Accountability Office) report makes clear that the federal government, like too many private sector firms, takes the existence of security awareness programs as prima facie evidence that they work.

Surveying the National Institute of Standards and Technology’s (NIST’s) National Initiative for Cybersecurity Education (NICE), the federal government’s main cybersecurity education effort, GAO-12-757 ( concludes that there’s been scant attention paid to whether the program actually works. Neither NIST nor DHS have applied what GAO calls “outcome-oriented performance measures” that might indicate whether and how their many education programs – National Cyber Security Awareness Month, “Stop. Think. Connect,” and similar grants and programs are working.

NIST officials, speaking with GAO, acknowledged that they do not measure progress related to awareness activities. DHS, which is charged with delivering the security awareness components of NICE told the government’s watchdog agency that they do attempt to measure the programs’ effectiveness, just not using “objective oriented” measures. Instead, they rely on more subjective measures such as how many individuals sign up to receive information about the various campaigns, how many events are held in association with each and how many visits there are to program Web pages.

Like the parallel debate in the public education space, it’s long past the time to stop relying on what amounts to anecdotal evidence of progress towards what we all recognize as a critical goal: cyber security awareness. There’s ample evidence that government and industry can partner productively on public information campaigns when the stakes are high — think SARS or H1-N1 influenza. Why not a similar, outcome-based effort around online threats like Web-based drive by download attacks? Industry and – especially – government must do more than just pay lip service to the importance of educating consumers and employees about cyber risks.

Cross-posted from Veracode

Possibly Related Articles:
Network Access Control
Security Awareness Cyber Security Education End Users
Post Rating I Like this!
Kathleen Jungck In light of the BYOD growth, this issue continues to be extremely relevant. It's time to move on from "Security Awareness" and start addressing a basic foundational level of "Security Hygiene". Employers could then add industry (and company) specific issues on top of that foundation.
Sherrley Max This is a good educational service. when somebody want online education then go on
addie baldric I agreed, Almost each consumer-facing technology firm and service provider has offered up their own directions for safe online browsing, shopping, dating and social networking. But, without any association to help shape and coordinate those efforts or disseminate the knowledge that they web page:
Mike Erik I agreed with this post nice and relevant post.
Do My Assignment Help
Electra Melina Studies like this just so they can have something to post on give lip service on social media about the importance of using modern communication channels.
John Lewis I have this assignment from, can you help me with it?

The aim of this assignment is to develop your planning and analytical skills in the context of a complex project orientated environment.

You are required to develop a defendable project schedule for a project of your choice, which will facilitate successful execution of the project. The project may be one of you are, or have, been involved with, or may be taken from a case study of your choice. The submission must include a project schedule of at least 100 activities and clearly identify the logic of activity sequencing and relationships between the activities. All dependencies, constraints and resources are to be included.

Monica Farcas Awesome content, beneficial give good results; now I am aware that which you guys have been doing.

Take My Class 4 Me The relationship connecting enhanced security and user education is so well-established as to be approximately self-evident. Improved technology, coding practice and difficult can only achieve so much. For more detail visit here my site.
carson Perry I have been interested in this topic for quite some time. I have been researching it for a couple of hours and found your post to be very interesting. Cheers!
Braden bond The relation between upgraded insurance and user education is so good and entrenched as to be around absoluted.
Raushan Kumar Several assistance individuals will irritate due to their perform stress which will hurt business owners of items.
Packers and Movers in Mumbai or
Packers and Movers in Hyderabad or
Packers and Movers in Pune or
Raushan Kumar Client complimentary is also critical facet to shift all our aspects from one place to another.

Packers and Movers in Bangalore or
Packers and Movers in Delhi or
Packers and Movers in Chennai @
Packers and Movers in Gurgaon or
Packers and Movers Noida @
clasical micla We stand behind our products quality and ensure that people can use them without any worries. We even take up the concern of our customers directly to the watch manufacturers if we get any and make sure that watches of concerned people are fixed as quickly as possible.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.