Recently Cormac Herley of Microsoft Research released a whitepaper titled The Rational Rejection of Security Advice by Users. The paper discusses the cost issues of awareness training and education and includes a cost analysis of three awareness topics. He then documents why he feels these areas are not cost effective and questions the value of awareness programs. After reading the document I wanted to share with you some of my own thoughts. On some parts I agree with Mr. Herley, on some parts I disagree and some I feel he is just dead wrong. The biggest difference between Mr. Herley and me is I am far more optimistic about awareness and education. Below I explain why.
- Anlysis: Where I disagree with Mr. Herley's is his analysis. Most of his cost analysis is very narrowly focused on specific attacks, forgetting that the very same education that helps protect against one attack helps protect against many other attacks For example, his first analysis focuses on compromised bank accounts, stating that consumers have minimal costs as they are simply reimbursed by their bank. As such, he states that awareness and education to protect your bank account is not worth the cost to the individual (this is assuming you actually get reimbursed). What he fails to mention is that the same awareness and education can help protect against many other attacks, such as credit card fraud or identity theft, which costs in America alone an additional $50 billion dollars (2010 Identity Fraud Survey Report, Javelin). The costs are much higher, and the value to the end user much greater, when you combine different attacks together. What he also fails to mention is the costs to organizations. If you are a business and your bank account is hacked, you do not get reimbursed, your organization has to pay for those losses (read Brian Krebs for an outstanding series on this exact issue). Even more damaging is cost of lost intellectual capital. Last year the Federal government issued a report that stated that, between 2008 and 2009 American business losses due to cyber attacks had grown to more than $1 trillion worth of intellectual property (Financial Management of Financial Risk, ANSI 2010). All the sudden those costs look far more damaging, and awareness and education becomes that much more valuable.
- Topics: Then there are the awareness topics Mr. Herley chooses for his comparison. He goes on to point out that passwords, analyzing URLs and SSL certificates cost more then they are worth. You know what, with SSL certificate I have to agree with him. This is a painful and time consuming topic with little return on value. Heck, even I get confused with SSL certificates. So yes, the cost is greater then the return, in fact I bet many other security professionals would agree. This does not make awareness invalid, it just demonstrates there are far more effective topics to focus on. For example, instead of teaching SSL certificates to identify a MITM attack, awareness should focus on the more valuable topic of how not to get owned in the first place. The key to ROI for awareness is not teaching specific attacks (which are constantly changing), but focus on more general concepts that apply to multiple attacks (keep your systems and applications updated, explain the concepts of social engineering, no that anti-virus site it not real, etc).
- Costs: Mr. Herley then goes on to say that everyone pays for education in time they allocate, but only the victims have costs. This is simply wrong. We all pay for cyber crime, not just the people who have their back accounts hacked or identities stolen. Banks are loosing millions in financial fraud. How do they recover? They increase banking fees to their customers. Online merchants are loosing millions to credit card fraud. How do they recover? They simply raise their prices to cover the costs. In the end we are all paying for these successful attacks.
Overall, I feel the paper takes an overly negative view of security awareness and education. He underestimates the costs of attacks by narrowly focusing on a few specific types, not including the combined costs of other attacks. Also several of the awareness topics he focuses on are generally acknowledged as having limited education value. That is kind of like picking on the smallest kid on the block to prove your point. But he does teach a good lesson. We have to prioritize what we teach people, make sure what we teach people will make the biggest difference, and do it in a cost effective manner. This is not easy, but then again that is what I hope to achieve with this blog ... making a difference when it comes to securing the human.