The connection between improved security and user education is so well-established as to be almost axiomatic. Better technology, coding practices and testing can only accomplish so much. If customers or employees don’t know that, say, clicking on a curious link on their Facebook wall or opening the iloveyou.exe e-mail attachment could compromise their security, how do we gain ground against cyber crime, cyber espionage, spam and other online ills?
In just the latest example, the security firm FireEye found that cyber criminals were finding more success in bypassing security gear by relying on links to drive-by-download attacks on malicious web sites set up using one-off web domains. The great propensity of users to click on malicious links allowed the new strategy to succeed, spurring even more use of it, FireEye noted. (http://www2.fireeye.com/advanced-threat-report-1h2012.html)
In short: everything and nothing.
Within enterprises, investment in end user education varies, and there’s no hard data on how effective are the programs that exist. A recent survey of 950 IT professionals by the technology trade publication InformationWeek found that end user security awareness training was rated the second most valuable security practice, just behind identity and password management. Unfortunately, the same survey found that only 22% of respondents rated end user awareness programs “very effective” at protecting their organization from internal or external threats. In contrast, fully 66% of respondents to the same survey rated firewalls “very effective,” InformationWeek found. (http://reports.informationweek.com/abstract/21/8815/security/research-2012-strategic-security-survey.html)
In the consumer space, the U.S. government has consistently opted for public-private partnerships to get the word out about the growing danger of preventable ills like malware infections, hacking, identity theft and the like. The results of this “let a hundred flowers blossom” approach are predictable: almost every consumer-facing technology company and service provider has offered up their own prescriptions for safe online browsing, shopping, dating and social networking. But, without any organization to help shape and coordinate those efforts or disseminate the information that they produce, the efforts have little force once the ink on the press release has dried.
One solution might be for the Federal Government to be more engaged in what is, after all, a public information campaign. NIST and DHS might craft a comprehensive education program, and then partner with private sector partners to get it out to millions of U.S. consumers. Periodic audits and assessments could test the effectiveness of the program against objective measures of security awareness. Then, over time, elements of the program that don't work could be reformed or replaced with those that do. "You can't manage what you don't measure," as the old saying goes.
But a recent GAO (Government Accountability Office) report makes clear that the federal government, like too many private sector firms, takes the existence of security awareness programs as prima facie evidence that they work.
Surveying the National Institute of Standards and Technology’s (NIST’s) National Initiative for Cybersecurity Education (NICE), the federal government’s main cybersecurity education effort, GAO-12-757 (http://www.gao.gov/products/GAO-12-757) concludes that there’s been scant attention paid to whether the program actually works. Neither NIST nor DHS have applied what GAO calls “outcome-oriented performance measures” that might indicate whether and how their many education programs - National Cyber Security Awareness Month, “Stop. Think. Connect,” and similar grants and programs are working.
NIST officials, speaking with GAO, acknowledged that they do not measure progress related to awareness activities. DHS, which is charged with delivering the security awareness components of NICE told the government’s watchdog agency that they do attempt to measure the programs’ effectiveness, just not using “objective oriented” measures. Instead, they rely on more subjective measures such as how many individuals sign up to receive information about the various campaigns, how many events are held in association with each and how many visits there are to program Web pages.
Like the parallel debate in the public education space, it’s long past the time to stop relying on what amounts to anecdotal evidence of progress towards what we all recognize as a critical goal: cyber security awareness. There’s ample evidence that government and industry can partner productively on public information campaigns when the stakes are high -- think SARS or H1-N1 influenza. Why not a similar, outcome-based effort around online threats like Web-based drive by download attacks? Industry and – especially - government must do more than just pay lip service to the importance of educating consumers and employees about cyber risks.