Most efforts to teach Information Security backfire because the threat seems unstoppable. Business Reporter’s resident U.S. ‘blogger Keil Hubert recommends using classic stories to help overcome users’ sense of fatalistic defeatism.
Training without meaning and context is worse than useless; pointless training is soul-sapping drudgery. It poisons a student against its subject for life. That’s why most technology and security training has the opposite effect of what’s intended: instead of making its students qualified and ready to perform a necessary function, bad training befouls its students’ attitudes towards the subject and inspires them to disregard its teachings out sheer spite.
As a practical example, consider the dreary ‘annual information security’ courses that companies force their employees to complete each year. In most cases, the ‘training’ is a slide-driven Computer-Based Training (CBT) module where a somnambulistic narrator pedantically lectures at a kindergarten level about InfoSec topics for an hour. At the end of the course, the student has to complete a multiple-choice exam. If they fail to hit an arbitrary rote memorization goal, they have to repeat the quiz until the randomly guess right on enough answers. It’s ritualistic abuse masquerading as ‘training,’ delivered out of obligation –not a desire to educate, inform, or change behaviour. 
Everyone needs InfoSec training; that’s indisputable. When you ask IT professionals what they need most to keep their core business functions running, they invariably reply that they need their users to stop doing counterproductive things (like falling for phishing e-mails) and start routinely following safe systems-use practices (like locking their PC whenever they leave it). In most companies, the majority of security incidents that cause financial, operational, or reputational harm could have been avoided if only one or more users had either not made a preventable mistake.
Business leaders have to train their people on safe systems use. That’s why users get initial training on safe systems use when they’re hired, and then again on the anniversary of their hiring every year thereafter. Every year, users get lectured that their actions keep the company safe … and that training is almost always ignored. Why? Because (a) the training is boring, (b) the content doesn’t hook the students’ interests, and (c) most students have wearily given up trying to practice InfoSec.
Some annual training CBTs will automatically play themselves, allowing the user to click ‘start’ and then nap until the end-of-course quiz pops up.
It’s that last part of the problem that fascinates me. I study the human behaviour’s influence in InfoSec. The complex issues of human motivation, belief, action, and rationalization tend to leak into everything that I publish, from my weekly columns to my books to the IT Troubleshooter course that I teach to at-risk youth. After years of research and applied theory, I’ve come to the conclusion that the optimal way to counter users’ destructive behaviour is to train IT staff how to properly engage users. Make the InfoSec message personal, make it compelling, and reinforce it constantly. That means teaching IT staff why people do barmy things, which means explaining the concept of ‘security fatalism’ and how it undermines good security practices.
I appreciate that ‘fatalism’ may seem odd in a column about training. Hear me out. As a functional definition, fatalism is the belief that all events are predetermined and, therefore, inevitable. You can’t change your fate. Struggling against it only postpones the inevitable … and might well make things worse. That’s how a surprisingly large percentage of users consider Information Security. This, in turn, instils a sense of defeatism – practically defined, the acceptance of defeat without struggle – in otherwise rational and responsible people. Put simply, they don’t bother making the required effort.
Here’s the problem: when it comes to security, every user’s actions (including actions not taken) affect everyone else. If 99.9% of users correctly meet a performance standard (like setting strong passwords) and only one user fails to meet that standard, the entire organisation can still be compromised. Effective InfoSec requires every employee to perform every task correctly every time. That’s a darned difficult standard to meet, even for people who are highly motivated to comply … and most people just aren’t that motivated.
See, most normal people aren’t constantly thinking about security; they’re just trying to get through life. The average user has dozens of topics (like relatives, work, bills, etc.) constantly vying for his or her attention. A normal user rarely has the free cycles to contemplate hypothetical downstream consequences. Normal people don’t use their technology to ‘integrate into a holistic global over-mind’ the way that advertisers touted automation in the nineties; people just want to get things done. They have little attention left over to spare for security theory. They come to work, they tap a random key to wake up their workstation, enter a user ID and password, and start slogging through their e-mail queue. The PC may be an essential business tool, but using it is a dreary chore.
Say what you want about the 1990s, but the inherent limitations of early PCs allowed users to put e-mail management out of their minds at quitting time. Now, we expect workers to be reachable by their smartphones 24/7. It’s a dreary chore that NEVER ENDS.
Security professionals need to remember that when we’re crafting our end-user training. When we demand that our users become experts in a highly-complex technical field, what we’re really conveying is that we think our users will never be smart enough, or skilled enough, or diligent enough to do their job correctly. It’s haughty and condescending. That naturally irritates people. Then, when we admonish users that their slightest mistake can cripple the company, it’s only rational for them give up. Why bother? It failure is inevitable, then compliance is a waste of effort.
This topic came up last week while I was teaching the ‘PC Applications Support’ block to my Troubleshooter Course students. I went on an un-planned hour-long sidebar about how important is to understand your users so that you can directly address their concerns. Every time that a tech support agent engages a user (I argued) they should make an deliberate effort to praise the user’s good security habits and to remind them of how their diligence contributes to a stronger, more robust overall ecosystem. Achieving security perfection is unrealistic (and, honestly, not cost-effective). Our goal as enterprise defenders has to be to encourage users to take reasonable security-minded actions as a matter of habit. Stress that each user’s actions matter. Mistakes will be made, sure; that’s no reason to give up. Teach users to keep trying, use good judgment, and do their best.
One way that I’ve found to convey these ideas is to speak in terms of shared pop culture products. Take Ernest Hemingway’s tragic war novel For Whom the Bell Tolls, for example. I’d be willing to bet that your literature teacher probably droned on about how ‘interconnection’ is one of the primary themes of the book. The title and the epigraph that the title quotes suggest that the outcome of the Spanish Civil War wasn’t just important to the people who fought in it, but in fact affected everyone. Had Franco’s fascists been defeated in 1938-39, perhaps the Axis Powers would have been reluctant to launch their own war of conquest immediately thereafter.  We can use that.
When teaching InfoSec, we tend to over-emphasize the interconnection aspect of information systems, often to our detriment. Yes, it is important to teach users that a careless mistake made in Barcelona can have consequences later for servers in Belgium. Understanding that everyone has a meaningful part to play helps to build camaraderie. That’s fine. Unfortunately, the idea lets users ‘off the hook’ (so to speak); if everyone is equally responsible then the actions of any one person don’t especially matter. Someone’s bound to make a mistake somewhere, and then everyone is doomed. That’s a great starting point when talking to users about practicing good security, but too many annual awareness CBTs stop there and then bring up the multiple-choice quiz. Bad form.
One supremely bad practice from the 2000s was to let one user play back the security awareness CBT for a group and then give all the attendees ‘credit’ for having completed the course.
That’s why I urge my students to invoke FWtBT’s other overarching theme when teaching InfoSec: remember how your English lit teacher lectured about the characters’ sense of fatalistic defeatism and how their negative mind-set doomed them all. This is the conversational wedge that we can use to get users to open up about their sense of helplessness and how it affects their daily activities.
If you remember the novel’s plot, hero Robert Jordan is ordered to sneak behind enemy lines and blow up a bridge. Some of the guerrillas that are supposed to help Jordan reach his target are afraid of fascist reprisals and try to sabotage his mission. Jordan decides to carry on, even though he comes to realize that it’s become a suicide mission. They protagonists attack … get ambushed … and most die. The heroes expire bravely but pointlessly, as the demolition of the bridge doesn’t affect either the tactical outcome of the immediate battle or the strategic outcome of the civil war.
This the third major theme of FWtBT is personal courage. It’s probably the one that Hemingway was most interested in exploring. Throughout the story, the characters persevere out of blind loyalty to their cause, even as they become bitterly disillusioned by the hypocrisy and incompetence of the leaders that are supposed to embody the cause’s ideals. Hemingway isn’t subtle with his observations on the idiocy, butchery, and pointlessness of the Spanish Civil War (especially at the level of the isolated individual). He stresses this point by having the characters question their motives and contemplate their own deaths … then soldier on with the plan even though they know that it’s a doomed endeavour. Every fighter has the chance to back out, yet they attack anyway.
That’s the part that always bothered me about the story. I can admire the heroism, empathize with the characters’ fear and loss, and curse the futility. Hemingway’s anti-romantic portrayal of war makes it visceral to the point of anguishing. Stepping back, however, the protagonists’ unshakable sense of fatalism – that is, ‘we must carry on no matter how pointless it is’ – is militarily infuriating.
Real soldiers will persevere beyond the limits of normal human endurance, but not for pointless stupidity. Blind obedience to crap orders is an outdated concept.
Looking at the overall plot arc – the mission to collapse the bridge, thereby delaying Nationalist reinforcements – is a travesty. While reconnoitring the bridge in chapter 3, Jordan realizes that the bridge could be destroyed without the unnecessary risk of close action. While preparing to attack in chapter 8, Jordan realizes from the arrival of enemy reinforcements that his allies are leaking their plans to the other side. In chapter 11, Jordan discovers that the enemy know that an attack is imminent. In chapter 13, it starts to snow, making it impossible to conceal the raiders’ retreat. That’s thirty bloody chapters before the actual attack occurs. The characters know that their plan is nonviable. Attacking the bridge as originally planned has a very low chance of succeeding, will have little impact on the larger battle, and will likely result in the loss of all personnel. It’s not only pointless; it’s inept.
That’s not how real military operations are conducted. Commanders assign objectives (like ‘blow up this bridge’) with associated context (‘because we need to delay the enemy’s attempts to reinforce this flank’). Commanders may provide tools, tactics, and timing, but it’s ultimately the leader on the ground’s responsibility to work how to get things done. Therefore, when Hemingway’s hero realized that his demolition plan was pointless, it was his responsibility to come up with another way to get it done. Change weapons. Pick a new target. Create a diversion to draw enemy forces away. Don’t just don’t stubbornly charge into certain death, especially when doing so guarantees overall mission failure.
On the one hand, the way Hemingway wrote his characters was a painfully realistic look into the actual Spanish Civil War. Jordan was an idealistic American volunteer, taking orders from a Russian operative to work with oppressed peasant insurgents. These weren’t highly-disciplined soldiers; they were naïve idealists playing at a game of soldiers in a war prosecuted on both by corrupt oligarchs rather than proficient generals. In that respect, the story makes absolute sense.
On the other hand, Hemingway’s characters in FWtBT all surrender their sense of agency, thereby dooming themselves, in order for the tragic plot to unfold properly. Even though the characters all recognize that their circumstances have changed such that their quest is unfeasible, their shared sense of fatalism causes them to march bravely – and pointlessly – to their graves. It’s noble in a literary sense; militarily, it’s criminally wasteful and bloody stupid.
We observed Memorial Day in the USA last week. A grim reminder that there are too damned many of these soldiers’ gravestones. We don’t need people making more out of stubbornness.
A shrewd student should – rightfully! – protest these characters’ rationalizations. Throughout the story, the characters have the ability and the awareness required to change their fate. Yes, certain aspects of the overall problem (like the ideological bankruptcy of the war’s leaders) can’t be helped. They can’t match or wish away the enemy’s high-tech tanks and aircraft. They can, however, dictate their own tactics. Rather than grimly follow a preordained path unto death, they can honourably achieve their objectives while not pointlessly squandering their lives. And yet they fail to. Repeatedly. That’s the tragic arc of the story, and also the key to leveraging the story for our ends.
There’s an unintended – but powerful – parallel between Hemingway’s tragic war story and our contemporary working world. His themes resonate. Yes, we’re all interconnected. Everything that one person does with our company information systems has the potential to negatively affect everyone else. Yes, the amount of information that’s needed to guard against all possible cyber threats can be overwhelming. Yes, in the end, an adversary can always find a way to break in to our company information systems. Based on that, it’s completely understandable to feel a sense of crushing defeatism. If we’re fated to get breached, then why fight back? What’s the point?
There’s why I like using FWtBT as an example: after using the protagonists’ mistakes to talk about individual agency, you can also point to the antagonists’ side of story as a crucial lesson-learned. After all, the Nationalists couldn’t stop the Republicans from blowing up their bridge. Even though they had all the advantages, what with superior numbers, better equipment, the advantage of position, and higher morale, it was impossible for them to stop every possible attack. They could – and did! – evaluate the threat, deploy practical countermeasures, and make the stakes high enough that their enemy (our protagonists) couldn’t hope to achieve anything better than a Pyric victory.
I’m not suggesting that we empathize with Franco’s fascists; rather, I’m recommending that the lesson to be taught here is that individual decisions really do matter. Every user’s InfoSec habits have the potential to make a positive difference in keeping the company healthy and safe. Maybe locking one PC screen one time won’t save the company from a dedicated hacker who has years to plan and thousands of PCs to target. It will, however, keep this PC safe from an attack right now. Every time that a user denies the enemy an easy opening, it blunts one more possible line of attack. Every compliant act of hardening frustrates and rebuffs the adversary. The object of InfoSec operations can’t be to create a perfectly impregnable network; that’s impossible. Rather, the object is to make the organisation just hard enough that the bad guys give up in frustration and attack some other target.
No one guard is solely responsible for securing the palace; it takes dozens of guard working together to cover each other. So, too, no one employee is solely responsible for securing an entire company network. It takes hundreds of users, administrators, and enterprise defenders working together to cover each other and keep the bad guys out.
Looking at FWtBT’s battle of the bridge from both sides of the conflict, Jordan’s guerrillas were analogous to the hackers, not to the defenders. They had the advantages of stealth, conviction, and timing. The defenders ultimately won because they were diligent enough in their defences.
It’s absolutely true: a dedicated attacker can always get into his or her target’s network. The trick is, the harder that the target makes it for the attacker to get in, the more it costs them to secure the breach, and the nastier the consequences are likely to be. If remote access malware doesn’t do the trick, physically breaking into an office will … where an intruder stands a very real risk of getting trapped, arrested, or shot. Raise the stakes high enough, and most adversaries will quit the field. You don’t have to be perfect to frustrate the bad guys. You just have to be persistent. Think pragmatic diligence rather than fatalistic defeatism.
That’s our objective: to convince our users to do everything that’s within their power to frustrate their adversaries. Teach them that they have control of their own actions, and that those actions really do matter. It’s just a matter of explaining how in terms and language that they understand. Also, making your point in a way that inspires your students rather than boring them half to death.
 Many organisations in the US demand both initial and annual-thereafter InfoSec training because they’re structured their InfoSec programs around the NIST Special Publication 800-53 standard (Recommended Security Controls for Federal Information Systems and Organizations). In this standard, the AT (Awareness and Training) family of security controls requires organisations to ‘… provide basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users; when required by information system changes; and [at an organisation-defined frequency] thereafter.’ See page D-14 if you’re curious.
 Hemingway wrote FHtBT in 1939; by the time it was published in October 1940, Hitler’s fascists had seized Denmark, Norway, Belgium, Holland, Luxembourg, and France. The Battle of Britain was well underway, and many suspected that the Germans were contemplating an amphibious invasion of the British Isles.
Photographs under licence from thinkstockphotos.couk, copyright: head in hands, pat138241; exhausted, TeoLazarev; upset, shironosov; business team and laptop, narith_2527; distraught soldier, OHNGOMEZPIX; Arlington National cemetery, wingedwolf; changing of the guard, Shmulitk.
POC is Keil Hubert, firstname.lastname@example.org.
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Reporter’s resident U.S. blogger.