Go ahead...touch the hot stove
Regular readers of this blog or those who subscribe to the Threats Without Borders newsletter, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.
The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.
"I think one of the most important things to realize is most of the education and training done, it's not very effective,"
"The 30-minute video you're obligated to watch once a year doesn't do the job".
Yes, I’ll agree with this, but maybe it’s not all on the security professionals.
I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.
Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, “ I knew it looked suspicious” and “ I know better, I saw the same thing in training”,
Almost all promise me “ I won't make that mistake again”. And they won't. Much like a child never touches a hot stove top twice, they must get burned for the message to have an impact.