Related link: http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm
In my old SANS webcast titled “What’s NOT Working in Security in 2004″ I mentioned security awareness as one of the failures. This insightful blog entry from a controversial (due to the “death of an IDS” report of 2003) Richart Stiennon highlights the faults and inherent limitations of security awareness training.
Granted, it is very hard if not impossible to develop technical safeguards agains social problems (like employee abuse and ’social engineering’ attacks), but using security awareness training to plug the holes in technical security countermeasures is not going to work either. Here are some of the highlights: “Security awareness training is like the “Quidado!” sign a hotel or airport erects over a puddle in the middle of the hallway. A dangerous situation is addressed with a sign instead of the immediate application of a mop.”
And even harsher: “I say no. Education is not key to security. Good security technology is key to security.” He then continues to escalate to this: “If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed.”
Thoughts?
not so black and white
One could argue that if you need technology to prevent your people from doing something they shouldn't you didn't educate your people as to what they're supposed to do...
Maybe you gave them the wrong tool indeed which allowed that insecure activity, but isn't that a case of the wrong technology and not a case of not enough technology? Why not give them a too without that insecurity rather than use yet another tool to prevent that insecurity from becoming a problem?
Tools...
I think we need to drop the "tools" analogy, because it confuses the issue.
If you're a carpenter, you're supposed to know how to use a saw. Yes, I'll put a finger guard, a dead-man lock, and a dust shield on it, but it remains a saw. It has inherent dangers, and all carpenters must be appropriately trained to avoid injuring themselves and others. That very training is, in some sense, the essence of what it means to be a carpenter.
The analogy breaks down in IT, because computers are universal tools, reconfigurable to handle an infinite variety of tasks. Calling a computer, a piece of software, or a network a "tool" in this context doesn't help frame the discussion very well.
We trust carpenters to know which tools to put into their toolboxes, to know when blades need sharpening, and to handle that maintenance themselves. In other words, the exact opposite of how we treat IT users.