D’ohs and Dons of Cyber Security Training (1/2) — the D’ohs

I have been taking, running, and eventually creating cyber security courses for a while. I have had both my Homer Simpson moments and increasingly frequent bright moments. I will try to share them here in two parts, first the D’ohs and then the Dons, and what Dons got to do with this.

janikenttala
badrap.io
5 min readJun 15, 2020

--

What if people wanted to learn good cyber hygiene habits?

“People are the weakest link” myth

It is easy to talk about human beings being the weakest link, “people don’t care about security”, ”people can’t handle it”, “people don’t get it” and so on. Is there any other industry or skill area in the worklife where you intentionally downplay the humans while still employing them to do the job? Humans have social superpowers which make them one of your best defences if just given a chance.

Shall we blame the people, or empower them? I’ve picked my side.

“People don’t want to or can’t learn cyber security” fallacy

A big portion of them do. How big? Depends on the teacher.

Have you ever heard a primary school teacher say: “No use teaching Spanish, students will never learn.” I don’t think so. A teacher sees the shades of gray. There are those who learn just by taking a glance at the book. Then there are those who have difficulties, and those who lack motivation. And in between, there are many many capable students. The situation is similar, when it comes to people and security. In practice, when given a chance people will feel cyber security is important and they want and can learn.

I used to blame the people, until I learned a lesson from the teachers.

“There is a technical gizmo for that” delusion

Bad guys can always shop the latest gizmos as well and train against them at their home.

It might feel that humans are hard and technology is easy. It might be true when it comes to relationships, but in cyber security there is no magical technological silver bullet that will solve it all. There is always the next-gen cyber security fad, trend or magical gizmo that is being used as an excuse not to invest in humans and their training.

In the worst case, the latest technical defences have just made us more vulnerable. I see it like this, bad guys can always shop the latest gizmos as well and train against them at their home, but they never can adapt to your human defences and instinct. There is a place for technical defences but training us, the humans, evens the game and turns an uneven match into more of an Alien vs. Predator thing. Hmmm, who won? :)

“It is a IT problem, no it is a HR problem” debacle

Arranging cyber security training and onboarding seems to far too often between the cracks. IT departments are busy with technology and HR departments may feel that IT owns cyber security. Happily this seems to be solvable by someone taking the lead and asking IT and HR to help.

“Compliance got to be dull” despair

Someone I know went through a mandatory employee information security course. The course had all the usual bells and whistles. A well-produced 40-minute video, talking heads explaining different aspects of information security, and an exam afterwards. The outcome was a frustrated employee who thinks security courses are an utter waste of time. That got me thinking. I know he cares about security and privacy. Then it hit me: we are not just passively complaining about people, sometimes we are the ones who ruin them.

“I need to get back to work. Come on, isn’t this over yet?”

At one point, he asked why he needs to learn those topics in the video. I didn’t have the answer. The content was mostly suitable for someone aiming to be a CISO, but every employee of a large organisation needed to take it. Time away from his actual job added to the stress, and he tried to get work done while completing the course. Putting the video in the background didn’t work. The course creators got that covered. The quiz at the end requires participants to remember trivial details, such as terminology and listings of concepts mentioned. Congrats, you need to go back, you lose more time, and end up even more stressed.

In the next part, I will try to find ways to make even the compliance more fun, engaging and efficient.

“Cyber security trainers and experts are infallible” mistake

With cyber security training and onboarding now being more commonplace, we can learn from the feedback and dialog in order to create more interesting and actual content.

Cyber security is a moving target. People have been told to change passwords too often, giving birth to those post-it passwords on the monitor frames that you can spot in the casual work place videos. It made sense back in the 90'ies, when you could pretty easily brute force weak password hashes. Yup, there has been a bit of a cargo cult, stupid things have been taught and yours truly have stumbled as well:

Yours truly have stumbled as well.

With cyber security training and onboarding now being more commonplace, we can learn from the feedback and dialog in order to create more interesting and actual content. We learn how to enable people to be our best line of defence.

In this part we saw how we might have been driving people away from security. In the next part I will take a look at what we can do to win them back, and what “Dons” have to do with all of this. Follow this publication, @badrapio in Twitter, or me in LinkedIn to notice the next post.

--

--