Disinformation Targets Security Awareness Training: The West Point Story
If you follow the security awareness space, it’s likely you’ve come across Dave Aitel’s controversial post on CSO challenging the value of security awareness training. The story shed a lot more heat than light, because (as numerous industry observers revealed in the rebuttals that followed) its assumptions were seriously flawed. But while it exposed a general level of ignorance about how awareness training actually works, it also brought to light the many ways in which awareness training misses the mark when done poorly. And that, unfortunately, was the shifting sand upon which Aitel built his house. For example, he cited the old “phishing experiment” conducted at West Point back in 2004. In short, a sampling of cadets were sent a phishing e-mail to test their responses. In spite of having undergone computer security training, 90 percent of the cadets still took the bait and clicked the malicious link. Consequently, Aitel positioned this event as “one of the best examples ever of the limitations of training.” A far more accurate conclusion would position it as an example of the limitations of bad training.
Let’s set something straight: the West Point outcome is not an indictment on the effectiveness of security awareness training—or any other sort of training for that matter. It is, however, a reflection of the way the brain works and how people learn. Effective security awareness relies upon proper message delivery. Every advertiser knows you don’t deliver a message once and call it done. Messages—even obviously vitally important ones—must be repeated, reiterated, and reinforced.
The West Point example certainly invites questions about the quality of the awareness training the cadets received. What were the conditions and circumstances under which it was conducted? What was the nature of its content and delivery? Did the program even follow the principles of effective training? As it turns out, the training—and the exercise as a whole—was marked by numerous defects and compromises that were readily conceded by its authors.
The experiment’s designer, Aaron Ferguson, a visiting computer science professor at the time, noted that while the exercise was imperfect, it did prove that while instruction is clearly necessary, it is not sufficient on its own to achieve learning objectives. “Students,” he explained, “have to touch, feel, and experience the content in order to learn. The goal of any security awareness exercise should be to make security an attitude . . .”
The point Ferguson rightly makes—and it is ultimately the point of the West Point project—is that in order for behavior change to occur, the program must be built on effective training and communications methods and be delivered over a sustained period of time. Just like an advertising campaign. And given the stakes—shareholder value, customer trust, regulatory compliance—a proper security awareness program is worth far more than its weight in the many business values it protects.
Sadly, Aitel’s telling of the episode leads one to conclude that the West Point exercise was a complete failure, when in reality it was a great success. Here’s the kicker: The cadets learned from the experience, and their post-test security behaviors were much improved as a consequence. In fact, after just two iterations of the phishing exercise, the failure rate plummeted to under 5 percent! But Aitel failed to mention that inconvenient fact.