Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.
I believe that security should be ubiquitous and transparent; the users shouldn't even know or notice it. In that perspective, I think a company must:
- first implement any technical controls available so that users are not exposed to threats
- second educate, train and enable the user to identify the threats that bypass the technical controls, and
- third, have a solid response plan in place for when both the technical controls and the user fail
If you haven't heard the cheesy line Who is in the centre of security? U R (depicted in the head image) you probably haven't had enough security trainings in your life. But here is the point: If the user is the centre of security, or if the user is the second line of defence, what do we do if the user constantly fails and causes a security incident?
Security education and awareness challenges
I do not agree with the common statement "The user is the weakest link". I do not believe that the user is weak, but I have to admit that "the user is the most vulnerable link". As we do with vulnerabilities, we try to fix them. Security training is the typical "control" we implement for this particular vulnerability. A security training and awareness program is not easy job. In the past we would push some security videos to the users. Although many companies still do the same thing, this doesn't really work. Users don't respond well to canned training which is out of context. The effectiveness of this method is extremely low. Further developments included quizzes and questions that would "test" the user's understanding. Slightly better, but not much. Nowadays phishing attack simulations are common ground and pretty much replace 50-100% of the security education. Some companies focus only on the simulation and provide very limited actual training (a poor choice in my perspective, but this is a different issue). But all in all, awareness is a challenge and we need to work to improve it.
User behaviour
An additional parameter is the user behaviour that caused the security incident. I can identify four different ones:
- Malicious act: The user intentionally and actively attacked the company
- Arrogant negligence (also call it stupidity): The user intentionally and actively ignored the security policies (or shut down the security controls) that would protect them
- Lack of interest: The user opted to not take the training at all
- Lack of understanding: The user took the training but constantly fails in phishing simulations or -even worse- phishing real life cases
In my humble opinion (and I know some people and companies don't agree with that), the company's response should be very clear in the first two cases:
- The malicious actor should be dismissed immediately for cause and even prosecuted if the incident's impact was significant.
- The arrogant negligent should have a serious discussion with HR and learn about the organization's disciplinary process (which could even lead to dismissal if the impact was significant).
The third case is not so clear. I wonder if the non-interested users should have their access removed until they take the training. I consider it a management failure if we allow people to ignore (any, not just security) mandatory training just because they feel so. A (different) CIO, told me recently about his previous job and how they would issue a "license" to operate a computer; that license would be obtained after training. I have not formed an opinion about that yet, mostly because he was talking about the typical video training (some years ago; non-interactive, no quizzes, no nothing; just time spent watching videos).
If the users don't do the training because they feel they don't need it (and the same goes with shutting down security controls) and they get compromised, then they are automatically "promoted" to the category of arrogant negligence and that should trigger the disciplinary process.
But what about the last case? The users who do get trained and, assuming that the training is sound, they just don't get it.
Isn't the user the victim?
Yes, the user is the victim. That is very clear. This has been our response as an industry (I refer to the security industry) for many years now, and we don't think that the victim should be penalized. Still, we need to realize that some people learn from the training and some people don't. And since we as an industry have used a feedback loop that has helped us improve the quality of the training, starting from plain videos, moving to quizzes, to gamification, to simulations etc, are we not entitled to expect the users to finally learn? And since some users "get it" and others don't, through the same training, shall we not address the user issue?
I recently saw an infographic, stating that 95% of the security incidents in companies nowadays start with a phishing incident. That is ninety five per cent. That is not a small amount, it's almost everything!
But security is not the user's job!
Is it not? Do you remember the U R in the center of security cheesy line? Well, here comes the decision point. The use of computers is nowadays mandatory. You would not hire an accountant that doesn't know how to use a computer, although his job is accounting and computers are just a tool for him. In the last century people who did not know how to write would be limited to jobs that did not require writing. And they were mostly factories and manual labour. Earlier this century we saw that people who do not know how to use a computer are limited to jobs that do not require the use of a computer at any point (and they're getting less and less, are almost all manual labour and almost never pay well). So the use of computers has become a de facto qualification for office workers.
As is the use of a car for a salesperson; in fact many job posts require candidates for sales positions to have a drivers' license. Their job is to sell, not to drive. But imagine that you own a company and employee a salesperson who uses a company car to visit clients. What do you do if he is constantly involved in car accidents? How many times will you pay for the car fix (plus all the downtime, financial, reputational, operational, efficiency cost) before you decide to do something about it? My guess is not long. Especially if that happens every month or quarter.
And then comes the question: What is that something that you will do to address the problem? Will you move the salesperson to an internal position? Will you ask them to take driving classes? Will you hire a driver for them? Will you replace them? I believe it depends on the salesperson. If we're talking about a genious who brings 30% of the company revenue single handedly, you will probably find a solution like pair them with a junior who can drive and learn at the same time for example. But if we're talking about your average salesperson (or even worse, one of the low performers), my guess is that many people would consider replacing them. Not for their sales skills but for something totally irrelevant: not driving carefully.
Do you want to take that analogy to the computer user? If a computer user constantly causes incidents and you have trained them, what are your options (assuming you have implemented the technical controls)? Take their computer away? Hire another person to handle their computer? Dismiss them? Right now we just send them for more and more training; something that we know doesn't work.
Cyber risks are one of the top 5 of the WEF global risks for some years in the row now. Cybercrime has generated more than 1,5 trilion dollars but this is not news; we know already since 2005 that Cybercrime is more lucrative than drugs.
Is it maybe time we stop asking for "computer" skills and start asking for "secure use of computer" skills instead? Is it maybe time we start sanctioning or even avoiding people who pose a risk to the company because they cannot operate a computer securely?