The challenge of how we structure, analyse and select the security advice we deliver to end users has been a reoccurring topic in this column. We can’t provide unlimited advice to unlimited people so we need to prioritise. Costs need to be understood. We need to consider not just the displacement of productive activities for employees sent on training but also attention spans which are part of a finite economy. Training people on X reduces their tolerance to absorb Y. Everyone has their limits no matter how interesting or important we think our information is.
When selecting which security advice to prioritise it’s important to consider two aspects. Firstly, will the advice you’re giving be valid in the longer term? Or, is the advice likely to become obsolete as threats and attack techniques rapidly evolve? Secondly, to what degree is the advice we’re giving likely to be effective? Will it only be valid in very specific circumstances or will it be a reliable rule of thumb or universal truth that can be widely applied? The holy grail of advice therefore should be to focus on the long term advice that addresses the widest set of risks possible. Sounds simple, but arguably much of our advice has historically been short term and situation specific.
For example, consider how our anti-phishing security awareness advice has changed over the years. Much of it was short term in nature that quickly became obsolete as threats quickly evolved. We told people to avoid .ru links so attackers moved to different addresses. We told people to watch out for spelling mistakes and poor grammar so attackers improved their English. We told people to use https connections so attackers made sure to get a certificate for their phishing sites and use SSL. Our advice now remains as a useless evolutionary awareness appendage or worse. There are people that conclude an email is safe just because it is grammatically correct and the embedded links use https. It would be easy to say that users have misunderstood the difference between transaction privacy and entity authentication but I suspect we haven’t made it any easier for them.
In contrast, the advice to avoid opening attachments or links in emails that you’re not expecting remains as potent as ever. It’s a universal truth that is likely to remain true in the future as well. With the benefit of hindsight, our security advice needs to be strategically focused as much as possible to focus on these long term, universal ‘truisms’ rather than short term tactical fixes. If you’re about to issue advice to users, consider where it fits. In some cases perhaps it could be tweaked to lift out some specific detail that would limit the longevity of the advice and make it a universal truth that would fit into the ‘Strategic’ box. What do you think of the table attached? Does it help to provide structure and a way to classify our communications? Do get in touch with your views.
In other news, the Australian Government has issued ‘advice’ encouraging people to switch off 2 factor authentication when travelling overseas. Apparently, 2-factor authentication isn’t really all that important when using wireless internet from strangers or connecting from an internet café. Unbelievable. This kind of awareness pollution makes our job much harder.