This post is meant to be a comprehensive overview of the costs and benefits of user education in an enterprise environment (though the same applies everywhere). I have talked time and time again about users not being educated, and why that’s the case. A very significant portion of my posts have been about this subject, and it seems that this subject has gotten a lot more popular in the last few weeks, so I’m going to make a post with definitive evidence.
The costs of a security technique are always to be considered. Sometimes the cost is performance overhead, downtime, annoying popups, money, whatever. Sometimes the costs are worth it, sometimes they aren’t, but they’re always going to be there.
So what are the costs of user education?
1) Time: Your IT staff is going to have to take time to meet with users, or at the very least write something up for them. As a single session is unlikely to be effective (more on this later) it’s more useful to have multiple sessions, and thus a significant amount of time is spent on user education.
2) Money: Your IT staff is getting paid either way. But what about the employees? They’ve got work to do – billable hours. An hour of IT is an hour you’re paying them to learn, and another hour taken away from their work. Is that a significant cost? Maybe, maybe not.
These are really the two costs for user training, as it’s not a software technique, and really just involves taking time to talk to someone. The issue is that it’ snot just the IT staff, which is paid for security, but it’s your everyday employee.
Simple Polices On Deaf Ears
The real meat here is the potential and perceived benefits of this training. This is less clear cut – it’s not a list of things users will or won’t do, but instead I’ll look at how likely your training was to be effective.
Let’s look at one of the simplest policies, probably a policy every company will try to enforce, and something we constantly try to teach users: use a strong password.
Do you know what we’ve learned from password dumps? It’s 2012 and these are still the most common passwords:
Yes, the top password from the Yahoo password dump is 123456, and the next one is “password”, followed by “welcome”. The advice to “use a strong password” is probably the most pervasive and consistent advice in the security community. Honestly, I think it’s the number one thing people will tell you to do, and that goes triple for a corporate environment, where passwords are critical.
And yet passwords have not improved. And I’m quite positive that if you look at a corporate environment you will find very similar results, but with the corporate policies ‘smushed’ on: password12!! instead of password, because someone decided to force them to use a number and symbol.
Users Don’t Care, And It’s Not Irrational
A Microsoft research paper explores why exactly users are incapable of following policies. Why is it that time and time again they don’t follow company advice, or so-called ‘common sense’? The answer is really very simple, and would surprise most people: they’re actually making entirely rational decisions.
Everyone performs rudimentary cost benefit analysis every day, for any task that requires a choice that will lead to a consequence. Should you have some ice cream? Go for a run? Study? Play video games? In our head we make simple assumptions like “well I can study, but it won’t be very fun, but it’ll pay off later” and come to a conclusion.
Users in a corporate environment are no different, you tell them to come up with a strong password and they ask themselves “I can use a strong password and something won’t happen, but I’ll absolutely have a hard time remembering it and it’ll be a pain to type”.
The key point here is that there are definitive and predictable costs and only theoretical consequences. A user is going to be annoyed having to retype their password 5 times. A strong password might prevent an attack.
So you have to convince your users that an attack is imminent and likely, and that the pressure is on them… to which I would imagine they’d ask why it’s their job and not yours.
It Wouldn’t Matter If They Cared
Even if your users could manage to care at all about the security of their systems more than how annoying long passwords are it very likely wouldn’t matter. That’s for two reasons:
1) You can’t get them all to care. If one user is exploited an attacker is on the network. Is the game lost? No. But if you expect user education to save you after this point, good luck.
2) They don’t know anything about computer security. Even if they did care about it, they’re incompetent in the subject. We already know they have zero clue about creating strong passwords, even when policies are enforced, so what makes you think that they’ll be able to do anything else better? They are very unlikely to know how to keep every single program up to date, how to generate strong passwords, how to verify a site is using TLS, how to differentiate between a malicious email and a legitimate one. Humans just aren’t good at that stuff, and you’re not going ot be able to teach it in a reasonable amount of time (again, assuming they care enough to learn, which they don’t).
So I’ve been meaning to write this for a while, and I write about this stuff a ton anyways, but then Schneier put somethign out and it got all this attention and I thought “Oh, look, people actually care.”
So there’s my two cents on the matter. You can see that passwords haven’t changed, you can understand why nothing has changed, and you can consider the potentially very significant costs of implementing user training, and ask yourself if you can’t find a better use for that time/ money.