Face-Off: Schneier, Ranum debate security awareness training) can’t come to a conclusion whether we are doing the right thing.
Effectiveness of security awareness programs is quite hard to measure and i won’t get into that discussion here (tho i think that we are making a mistake if we are not trying to benefit from the experience of our marketing colleagues on this) but i believe there many factors to consider – positive and negative. And recently i seem to come across one of those negative factors a lot; security professionals who seem to belittle the sparking curiosity of users in information security. It seems as soon as an IT/information security hot topic hits the mainstream media security professionals start to sigh and feel someone stepped on their turf. They are quick to comment “Just another over-hyped story”, “The sky isn’t falling, just the usual media hype” etc. and unfortunately i have to admit i did that myself as well (Conficker April 2009 anyone?). Granted, most stories are hyped in mainstream media and there is no problem to discuss and rant about it with your fellow security professionals, but why oh why would we try to play down relevant security events in front of users? Sure, it makes you look competent to claim “No worries, we got it. Its not that bad.” but in truth i believe we are carelessly undermining our attempts to raise awareness.
Let’s face it – mass media is doing an incredible job relaying information to the wider population in a way that catches their attention; sure they might exaggerate and miss some technical facts, but the important part is that they get the attention and spark interest. I believe we, as security professionals, should grab any chance we get to leverage the exposure of security topics to the, usually uninterested or otherwise occupied, population. Don’t get me wrong, i’m not saying to encourage the hype, but don’t suffocate sparking inquisitiveness by stating ‘don’t worry we got it, that’s our job’. Take the time to speak to your users, answer their questions, use ‘hyped’ security stories as an opportunity to engage with them, make mass media hype a tool in your educational portfolio – it works for celebrities, why not for us? Ask yourself – did my corporate security awareness program do a better job at educating users about encryption of data in transit or did Ashton Kutcher’s faux pas (Ashton Kutcher’s Twitter account gets hacked, Punk’d, at TED Conference) relay that information more efficiently? As mentioned before it’s hard to measure what of your security awareness program ‘sticks’ with the users but realistically I’m a firm believer that mass media, as annoying and inaccurate it might be at times, does a far better job raising awareness than all corporate programs put together.