Understanding the link between information security awareness training & today’s cyber environment
The strength of being human is our ability as a species to adapt to our environment. Over the course of a lifetime, we humans will experience many different environments and our ability to understand and recognize the threats within an environment successfully dictates whether our experiences are positive or negative.
In the early years of civilization, we had to be concerned about our physical environment. Being attacked by a saber toothed tiger while hunting for mastodon often resulted in death. Recognizing the threat of becoming a predator’s next meal is easily understood… but as civilization has progressed and the number of environments we humans experience has increased, staying secure becomes more and more complicated.
When many of us began school, we had to learn how to recognize and handle bullies. When the US and the USSR began sending men to space, they had to learn how to protect the astronauts and cosmonauts from dangerous radiation.
…Yet now that we have a billion or so users of the Internet, we are doing a terrible job of protecting ourselves within this new environment. This is because most of the creators and users within this new cyber environment remain ignorant of the threats.
For many years, architects built structures on seismic fault lines and watched as these buildings collapsed when an earthquake occurred. Over and over again, they built structures within a harsh environment and watched in terror as their creations were destroyed. But as an understanding of seismic activity progressed, the architects learned how to build their structures stronger and more resilient in an attempt to mitigate the risk of their destruction.
In today’s world, when a building collapses during a tremor, we rarely blame the earthquake. We often accuse the architects of that building of irresponsibility because the threat within the environment is now so well understood.
Software developers and architects continue to develop insecure applications, yet most of them act surprised when they are victims of a successful attack. They behave as if they are creating applications that will run within a safe and secure paradise, when -in fact- they are creating applications that will be executing within a harsh and unforgiving environment. This behavior will continue until organizations educate themselves about the threats within this new environment and learn how to mitigate risk.
Too often, management has assumed that their software development teams have knowledge of and are implementing secure software development best practices. This has been a very self-destructive assumption.
A recent study of six hundred application developers tested their application security knowledge and results were as follows:
“Quizzed on 15 questions, less than a third of the respondents (27 percent) accurately answered more than 70% of the test. The average score on the quiz was 59%. Developers with more than seven years of experience fared no better than those with fewer than three years’ experience.”
It is time to start learning from our past and realize that if we don’t educate ourselves about the threats within our new cyber environment, we will continue to suffer due to our often “willful” ignorance.