Why do we continually blame the “user” for a lack of security awareness?
Coming back from one of the most successful information security conferences in quite some time, it was difficult (but not impossible) to find something that needed improvement. I was confused and disappointed in the number of presentations that I attended that made statements to the effect of:

• Users are dumb!
• We need to tell our users to stop clicking !
• There is no patch for user stupidity!

All of this talk got me to thinking. Who is really failing here? Who are the ones that are truly the dumb ones? As an information security professional, I am disappointed in the percentage of mouthpieces and/or practitioners that fail to grasp the basic tenets of how communication works. You see, like so many things, many of us suffer from the failure to effectively communicate the problem statement, accept criticism as an opportunity to improve, and –most of all—the failure to communicate. It is driving me nuts!

Quite simply, when your “user” clicks a hyperlink in a phishing message, we fall back on the yearly compliance tutorials, likely invented in response to the Melissa and Loveletter worms of 1999 and 2000, respectively. We sit back in our arrogant and condescending voice and say our training was not adhered to; that ‘user’ is dumb! Folks, it is 2011, and the problem has not gone away. Perhaps the payload has changed, as we now have advanced persistent threats (whatever that is), trojans, and rootkits. However, the vector remains IDENTICAL, and has for over a decade. We need a new approach, and we need to rethink how we address our (dumb) ‘users’.

I do not claim to know about every person’s specific scenario; however, I am an expense to my organization. I hemorrhage money from the company’s bottom line profits as a necessary evil to prevent the company from hemorrhaging larger amounts of money at the hands of lawyers and regulatory bodies. To imply that we are in a position to be condescending to anyone within the organization is absolutely, positively ridiculous. To imply, infer, or simply think that a ‘user’ as simply a ‘user’ is foolish. They are a partner. Their actions dictate a large portion of whether you are the pigeon or the proverbial statue. Yes, the term ‘user’ is compact, making for perfect slang on a PowerPoint deck or tweet. But to have to speak of being condescending to the hand that feeds you is incredibly arrogant.

Perhaps I am in the minority here; however, after listening to speaker after speaker talk about security as a ‘we’ versus ‘them’ scenario, I am quite certain that we cannot, and will not secure our environment through a tug of war or battle of attrition. According to Kumaraguru, Sheng, Acquisti, Cranor, & Hong (2010), our customers look to us to perform three concurrent and complementary tactics to mitigate threats (i.e. phishing message, etc.):

1. Silently and transparently remove it
2. Simplistically communicate/warn the customers of it
3. Train and communicate to the customers so that they can identify variations of it

So much of our focus as practitioners is on silently and transparently removing threats through automated devices such as firewalls, IDS/IPS, etc. The vendors (also a popular target in conferences) are marketing these directly to the people in the trenches. Vendors also have identified the opportunity to communicate/warn customers in a simplistic manner. For evidence, look at the green address bar in the browser. Unfortunately, the underlying protocol is broken, but hey, it is in fact simple. Mission accomplished.

If you notice the last tactic, this is the one that we fall flat on our face about in my opinion. We do yearly compliance training using canned presentations. We simply check the box, year after year, and expect a different outcome. While I am highly encouraged by the work of folks like Dave Kennedy’s Social Engineer’s Toolkit, providing the tools is simply not enough. We need to use these tools in everyday work and drive these types of training and awareness to the masses. Furthermore, we need to provide a consistent and repeatable framework on what the threats are, how they can be mitigated via awareness training, and provide support for organizations to implement the recommendations within the framework.

Rather than sitting back and launching a tirade about the educational competency of our stakeholders, while the collective community continues to hemorrhage like a stuffed pig over vectors and methods that are over a decade old, a number of us are seeking to do something about this vacuum of information. Of course this is blatant self-promotion for the Security Awareness Training Framework working group that is located at http://groups.google.com/group/SATF-workinggroup, but if you could recognize this, then why can’t we do a better job of recognizing phishing messages?

References
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology , 10 (2), 1-31.