Last week on the infamous podcast series Pauldotcom I was fortunate enough to join an amazing group of security professionals to discuss if security awareness is worth the time and effort. If you have not listened to Pauldotcom before, definitely try them out. No Political Correctness there, people definitely speak their minds. The podcast included Space Rogue, Dave Aitel, Dameon Welch, John Strand and others. The group was pretty evenly split for and against awareness programs, so it was a lively debate.
Dave Aitel took the lead, saying that reducing human risk by 95% is not enough. The number 95% comes from phishing assessments, it has been demonstrated awareness training can reduce the number of people that fall victim to phishing attacks to just 5%, including research by West Point and CMU. Phishing is one of the most commonly discussed human attack vectors since it is one of the easiest to measure.
So, is 95% good enough? In other words, after all that time, money and effort at least 5% will always fall victim, no matter how much you train them. Dave and others felt no, that is not good enough and demonstrates that you can never secure the human. I could not disagree more. Security is nothing more than reducing risk, you cannot eliminate it. Anti-Virus cannot detect all malware, firewalls cannot stop all attacks, why is security awareness any different? In fact I would argue 95% is a great ROI. By reducing the common day-to-day incidents by 95% your security team can focus on more advanced threats. One defense industry organization I worked with saved half a FTE (Full Time Employee) just based on the drop in the number of infected systems. This alone more than paid for their awareness program, and this is just prevention. We did not even get a chance to discuss how employees can be trained to detect phishing attacks and report them, (human sensor anyone?). What if that 5% that failed and fell victim reported it right away, reducing risk even more! Finally, remember that awareness also goes far beyond just phishing and addresses a tremendous number of other risks and attack vectors, so when measuring it's value you have to add in all these other areas.
So is 95% worth it? Absolutely. Can you demonstrate any other security control that has a greater ROI? Space Rogue, Dave Aitel and others brought up several other excellent points, which I will be addressing over the next couple of posts. I want to thank these folks and everyone else on the podcast for helping to make us all think and pushing the envelope for security awareness.