“The User is the weakest link” is a common phrase in the world of Cybersecurity, and I hate it. If you’ve spent time working in Cybersecurity, or even the overarching realm of IT in general, then you’ve probably heard or said these words at some point. I have told them several times throughout the last decade that I’ve been a Cybersecurity member.
While these words, and this concept, are valid, they’re also not helpful past a certain point.
Training the End User
Most of the time, when people talk about the user being the weakest link, they also think that additional training is needed. According to a survey by Malwarebytes, 70.5% of respondents increased their cybersecurity training during the pandemic, but cybersecurity incidents continued to rise anyways. Cybersecurity training is one of the most common forms of Cybersecurity posturing among businesses, and purchasing external training has skyrocketed over the years. So, where is the issue?
Despite the rise in Cybersecurity training, the standard answer for dealing with the threat of unintentional insider threat (a user clicking on a phishing link) is more training. Why?
When I started working in Cybersecurity, my office had a strict policy on report writing. When writing reports, we were always supposed to refer to actions the system took rather than actions the user took. For example, “when clicked, the system would connect to badguydomain and attempt to download malware.” rather than “the user clicked on the link and went to badguydomain, attempting to download malware.” This may seem like a subtle difference, but it significantly impacts policy writers who don’t fully understand Cybersecurity.
When I write a report saying the user did something, I unintentionally tell leadership that they have a user issue they need to solve. There are very few solutions to user issues beyond training and termination. When I write a report saying the system did something, I tell them they need better security architecting.
But if the user is the root of the compromise, then shouldn’t we be training them more?
Explicit versus Implicit Training
Cybersecurity training typically takes two forms: explicit and implicit. Explicit training is direct training that a user is required to go through, where Implicit training is training that a user doesn’t recognize they are going through.
Most organizations have some form of Cybersecurity training that users must go through on a one-time or routine basis. During my time in the military, we had an annual Cybersecurity training requirement. Once a year, we had to complete a computer-based training that covered the basics of things like antivirus, phishing, and removable media. As this was the Department of Defense, if we did not complete this training, they would shut off our access to the network. I actually thought this training was pretty good. It was definitely basic, but it was presented in an easy to comprehend and presented straightforwardly.
The other form of training most organizations have is implicit user training. Implicit training is training that a user is not aware they are receiving but is designed to positively shape their actions to organization security. Also known as subconscious or subliminal training, this form of training is things that a user is constantly happening around and to them daily, even if they don’t realize it.
An email system that alerts the user that the sender is outside the user’s organization is a prime example. Microsoft and Google offer this free as part of their business offerings for email. This alert is designed to not only alert users that the person they’re emailing may not be in their organization but also subconsciously trains them to look at who they’re emailing before hitting send.
Another example of this type of implicit training is the HTTPS warnings web browsers provide when navigating a website with certificate issues. This alerting mechanism is designed to prevent a user from going to a typo-squatting domain and teach them to pay attention to the certificate of a website (or at least pay attention to whether the little lock is there or not).
The Training Issue
Training is undoubtedly an essential part of a Cybersecurity policy, but it’s important to consider moderation. There’s an equilibrium point where training stops providing a net value. In the same report mentioned above, Malwarebytes discusses the concept of “fear fatigue.” Fear Fatigue is when employees become annoyed with security personnel constantly pushing a culture of cyber fear, an issue only made worse with additional training.
Cybersecurity training is typically focused on the threat that adversaries present to our networks. The problem is that users don’t often see these threats. So from a user’s perspective, we are constantly warning them of dangers they will probably never see. We create fear fatigue where the user stops believing in or listening to the training.
Think back a few paragraphs to the email alerting system. If your job involves you contacting people outside of your organization regularly, then you probably see that alert all the time and ignore it. We see this happen with HTTPS errors also. A common phrase in Cybersecurity is that we’re training users to ignore warnings because we often show them the notice.
This is my biggest issue with suggesting that Cybersecurity can be fixed by training users more. We’ve already reached that equilibrium point beyond which more training will introduce fear fatigue rather than provide a benefit.
What Should we do Instead?
There comes the point where we need to admit that no training will make our users experts in Cybersecurity. Instead, we must accept that our adversaries will always find ways to get into our network. Once we accept that and accept that this access may be through things like phishing, we can start to come up with real solutions to mitigate this.
One example is Cloudflare’s new option, “Email link isolation.” Rather than trying to train the users, Cloudflare realized that users would click on links, so they created a solution that isolates risky clicks into a virtual browser. We should also be taking approaches like this. We should be finding ways to protect our systems beyond just trying to train users.
Are users the weakest link? Yes, technically, they are. However, we need to be careful saying that. The solution isn’t to provide more training. We need to look beyond the user and devise technical ways to create defenses that won’t impact the user but still defend against phishing.