my user education rules of thumb

My RSS reader is getting swamped because I’m behind. In trying to catch up, I see more QQing about user education (either lack of support or lack of value in it). Here are some of my personal guidelines about user education in regards to enterprise security. These are not hard and fast rules, but simply general guidelines for me.

1) User education helps inform users of and explain corporate policies and technical controls. A workforce that doesn’t know policy, can’t follow it. A workforce that doesn’t understand why a control is in place, will fight against or around that control.

2) User education helps those who truly want to do the right, secure, safe thing. Some people are quite open and actually thirst for this knowledge, both for work and at home. This is not all people especially when push comes to shove and the “right” thing means not doing the “easy” thing in your job. E.g. It is easy to just email that client the necessary SSN-filled spreadsheet than figure out or set up a secure transfer method via “encrypted” mail, encrypt mail, or SFTP. (Yes, I meant to list three things there…)

3) User education fills in the gaps that technical controls cannot adequately fill. There are security problems that simpy cannot be solved very well with technical or procedural controls. A salesman talking in the airport on his cell phone about confidential business plans can be overhead, and there’s not much you can do about that. Or it may not be technically possible to add more physical security to your building if you don’t own it. But user education can demontrate that the business is not negligent about such issues, and the user may change his behavior after such education (see #2).

4) Technical controls are more valuable than user education. To mitigate a particular risk, if the value of the technical control roughly equals that of the user education control, and they cannot add to each other, then the technical control should win out. While user education has value, it does not ensure anything. Even I, as an informed and careful sec geek, would rather not have to make judgement calls or risk mistakes dealing with a strange attachment. I’d rather it be stripped early, not delivered to me, or my system not vulnerable (patched, least rights, hIPS…).

5) User education is worthless without technical controls. This follows from some earlier points, but imagine a company that has little to no technical controls and relies on its workforce intelligence to be secure. At least with technical controls, there is some assurance of a certain level of unattended security, assuming good configurations and settings. With technical controls, you can trust and verify. With user education, you have to trust, measure, and generalize.

6) User education is especially valuable, nonethless, to the people who decide technical controls. IT and security staff need continued training. IT and security staff neeed continued training. IT and security staff need… We can’t make things right unless we know how to make things right. From developers to IT professionals to managers, the technical people need technical training. Part of “baking in” security is about kneading in the knowledge.

Parting thoughts: This is not to mean I think user education is worthless. I think a proper security approach blends both user education (along the guidelines above) with strong technical controls. I simply think the drink is more like 1 part user education to 9 parts technical control.