A previous version of this was previously posted in October, 2014.
Previous posts on phishing, here, and here, discussed factors that might reduce the effectiveness of user security awareness training to protect against phishing. We’re not saying that awareness training can’t help to some degree, possibly for tightly defined business procedures and processes with enforced behaviour boundaries. People have had success in some cases, sometimes just relative improvements, but in the general case, it’s usually only a matter of time until someone gets fooled. If the stakes are very high, that may probably not acceptable enough any more.
In most cases, users get the blame as the culprits for incidents by not being careful enough, of for being dumb, lazy, (or not well enough trained?) Users, are simply being humans doing what they are supposed to be doing at work or what they normally do for personal leisure. In any enterprise, it may “only take one” user instance of falling for click bait, for trouble to start. Despite the best intentions, staffers who harbour no malice, IT staff and even security officers can be fooled by cleverly crafted and sophisticated spear phishing attacks.
If clicking is a likely, or inevitable event, shouldn’t the overall defence for phishing address that fact? Anup Ghosh summed it up nicely with this statement which I’ll repeat from last post;
“You must find a security solution that accounts for the fact that users will click on links and open attachments, because they will.”
Limitations of the Human Brain
I read some interesting things in the book “Switch: How to Change Things When Change is Hard” by Chip and Dan Heath. The book is about why it’s so hard, to make significant and lasting changes, even when they are sorely needed. It turns out that the primary obstacle is the built-in conflict in our own brains between our emotional (lizard) brains and our rational brains that compete for control. The trick, of course, is to get them acting together.
One interesting thing I noticed from the book applies directly to the security awareness training as protection from phishing. The authors discuss an interesting study where test and control groups were tasked with two seemingly unrelated sequential activities. In the first task, the test group had to exercise a lot of self-supervisory control, the control group did not. The second problem solving task was unknowingly unsolvable, and the test group gave up in roughly half the time of the control group.
The authors tell us that, ” Dozens of studies have demonstrated the exhausting nature of self-supervision.” Self-control as exercised in self-supervised kinds of activities has limits and is draining. In other words,
“Self-control is an exhaustible resource.”
They tell us more about the implications;
“Here’s why this matters for change: When people try to change things, they’re usually changing things that have become automatic, and changing those behaviours requires careful supervision by the <rational> brain. The bigger the change you’re suggesting, the more it will sap people’s self-control. ”
“And when people exhaust their self-control, what they’re exhausting are the mental muscles needed to think creatively, to focus, to inhibit their impulses, and to persist in the face of frustration or failure. In other words, they’re exhausting the mental muscles needed to make a big change.”
“So when you hear people say that change is hard because people are lazy or resistant, that’s just flat wrong. In fact, the opposite is true: Change is hard because people wear themselves out. And that’s the second surprise about change: What looks like laziness is often exhaustion.”
So should you feel badly if you are the Suckerphish, that clicks on the bait or opens up an attachment? Maybe. Maybe not. Depends on the context and your real honest effort. Let’s put it this way. You’re not helping your enterprise or organization, or yourself for that matter, if you are not vigilant about possible risk these days, and are either careless or reckless.
Or maybe that nasty security dude is just making you exhausted, with all of the self-supervisory decisions he’s dumped on you to make. I mean you as a user are only human, which means that 98% of your brain is operating at the emotional (lizard brain) level. So if you find yourself agonizing over whether it’s safe to click on a link, or trying remember what they said about URLs in that training session last month, we understand. It’s natural for you to feel this way.
All you want to do is,
“CLICK ON THE LINK AND GET ON WITH MY WORK!!!”
Maybe this provides more insight into why security awareness is often just not enough protection against phishing attacks. Sure, there are benefits of security awareness training in terms of incident reduction, clean-up and maintenance for IT, but in the end, that is secondary and short-term. At Trustifier we look at most things from the potential insider threat point of view. Consider security awareness training in light of a planted staffer or an inside colluder, who deliberately opens an attachment or clicks on that evil link, with the reasonably typical excuse of,
“Oops. -My bad.”
Who would know the difference? That’s the point. Security that protects against this, will also protect against innocent clicks where the user is simply fooled.
That’s why our position is;
Security is not postponing, or deferring an event when users click on a malicious link. Security is what protects you WHEN users click on that link.
This series has considered factors that make it harder for security awareness training to completely eliminate phishing attacks. Training should not be depended on to be the main line of defence against phishing. More technical controls can help protect the user from himself, as well as protect your enterprise from innocent errors that could lead to disasters. KSE trusted computing provides kernel level internal technical controls to protection. Soon, TUX AI will deliver comprehensive, bundled protections automatically, even to SMBs without technical expertise, that provides phishing and ransomware protection, plus more. If you haven’t taken the quick TUX AI tour yet, one can see it on our start page, here.
Blame the user? A look inside the brain of a suckerphish.