Security: Why Education will Never be Enough - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
07:00 AM
François Amigorena, founder and CEO, IS Decisions
François Amigorena, founder and CEO, IS Decisions

Security: Why Education will Never be Enough

After more than a decade of trying to educate users, IT security professionals still aren't getting their message through.

Weekly reports tell us that user negligence is to blame for the vast majority of security breach incidents. The CERT Insider Threat Center determined that most security incidents initiated through phishing and other social engineering are carried out by acquiring and misusing user credentials to secure systems.

The challenge is that users are indeed human. They are flawed, they are careless and often exploited. Users (computing) are in fact defined as “Those that generally use a system or a software product without the technical expertise required to fully understand it’.

Working as an IT administrator you can be sure the favorite things you hear a user say include:

“So I installed…”

“Here, use my account”

 “What would happen if I hypothetically did it?”

“We wanted everyone to use the same password because they forget it all the time”

And, “Oops, I did it again…”

Not everyone is listening

To address the human aspect of security, we know that better education must be part of the solution. If a user is given the tools to truly understand why they are being asked to work and behave in a certain way, that sense of frustration and inadequacy they may have felt previously could well be alleviated;

Clearly, not everyone is listening to the security education experts. But have we stopped for a second to consider that if people aren’t taking the advice of the professionals, maybe the advice itself is flawed?

IT security experts try extremely hard to push people down one way of thinking. “Don’t share passwords”, they say. “Don’t re-use passwords across multiple applications,” they add. But what many of them forget is the cost to the user of adhering to each of those pieces of advice.

Let’s analyze the first piece of advice: “Don’t share passwords.” This is now just the world we live in. These days, to most people, the convenience of accessing data quickly is more important than securing data. Yes, there’s an education piece to be done there by security advisors around the dangers of password sharing, but in the hustle and bustle of everyday work, where employees barely feel like they get five minutes to sit and breathe, it’s no wonder they cut corners to get the job done.

To them, getting the job done is far more important than considering the minute risk they may pose to their business or their data by cutting the odd corner, especially if they share passwords with just a trusted group of people.

Now let’s analyze the second piece of advice: “Don’t re-use passwords.” What, so we expect people to remember tens of unique passwords, each containing a mix of uppercase characters, lowercase characters, numbers and symbols? Employees manage around 27 unique passwords — that advice is simply not practical.

It’s at this point that most people start to ignore the advice of cybersecurity advisors. They don’t believe the danger is real, and the advice is not practical modern digital world anyway. It’s a bit like children ignoring what they see as their overprotective mother who doesn’t understand the real world. And that’s when breaches happen. And we get to say, “We told you so” and “Education is key”. And “get down off that stool, it’s dangerous.”

We must accept that employees aren’t going to change their habits in a hurry, no matter how much you try to scare them into doing so. We live in a world where convenience and simplicity is so important, and the advice the industry has been giving doesn’t always support the way workers want to get on with their job. The industry has been touting the same “education” message for the past 10 years, and quite frankly, if it’s not worked by now, it’s never going to work.

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. 

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll