Some people think that administrative controls are weak compared to technical controls because people are relatively unreliable in following policies and procedures. Security awareness training is one of them. My British colleagues refer to mandatory all-employee training as “sheep dip,” like the way sheep are herded single-file through a trough filled with some disease preventive treatment. Some claim that training is just sheep dip. Check box and move on.
A contrary case can be made. If 80 or 90% of employees take the training to heart, they create social pressure on the other 10 or 20%. It helps create that elusive security culture. The majority also gives security management many sentinels, and many ways – one for each security-aware person - to find out when something goes wrong, many ways to win certain battles. When the bad guys have so many asymmetric advantages, it is great when the good guys have one.
If this is true, there ought to be a business case in there, somewhere. Even if not all employees take the training to heart, even if this administrative control is leaky, is there a demonstrable business case for security training?
The argument is probabilistic, and FAIR is the perfect framework for addressing it. Consider anti-phishing training. Your phishing training vendor will launch a series of test emails containing phishing bait to the employee base. The rate at which employees take the bait is the pre-training Resistance Strength (RS) of the culture. Then the employees are trained in one or more ways, and more test emails are launched. This can go on for several cycles.
The dismaying result is often that 5 – 15% of the employees take the bait after the training, even after repeated trainings, and even after very individualized “don’t do that!” feedback. It’s enough to make a security manager weep, and increase the skepticism of the CFO.
Or is it? The take-the-bait rate after the training is the new level of the RS – just what we need to estimate the value of the training. A FAIR-minded security manager uses these numbers in a risk analysis of a phishing threat scenario and quickly gets the annual loss expectancy with and without the training. Divide the reduction by the cost of the training and you get the return on security investment (ROSI). Voila! A business case the CFO can respect.
Supposing that the ROSI is attractive, another interesting take-away is that even less-than-perfect training not only has a benefit, but a quantifiable one.
You might think that people who sell security training for a living would be able to help a prospective customer with such a business case. However I was disappointed more than surprised when none of the three training vendors in a recent security panel discussion gave any clue of this approach.
By the way, where else do you get such a nice clean way to objectively measure RS with and without a control?