Is user-education considered a security measure?

Question

Some people reason that an iOS device is safer from a security context than an Android device, because an iOS device does not simply allow users to install apps from any source other than the App Store while Android has a user configurable setting for this. Obviously there are many more reasons why one or another is safer, but those things left aside. Other real life examples can include warning the user that he or she is connected to a public network or even blocking the use of a program when connected to a public network.

Especially in the last example the user is not in control and this made me think about the line between security (if this even is security) and "user freedom".

• Is user-education a security measure in context of the given examples or do we have different names for these kind of measures?

• Bonus: Are there security guidelines or best practices on when to educate the user (warn) and when to block the user from doing specific things (like installing an app)?

Answer 1

Yes, users security awareness and training is an integral part of a global security policy.

Humans are often told to be the weakest point in the security chain, as you can patch a software vulnerability but you cannot patch a human. The best you can do is make people aware and regularly maintain their attention on potential security issues affecting their daily activities.

Generally, when a tool is available (I mean it is there, ready to deploy) which allows to enforce your policy, there is no reason not to use it. If this tool affects your users negatively, this does not mean that the tools shouldn't be installed, this means that your policy may need to be reviewed.

But sadly not everything can be automated, and there is a lot of areas where there will simply no tool. No tool will prevent a user from giving his password over the phone, opening the door to someone else or sharing his access badge.

The goal of security awareness training will be both:

• To address these areas where security nearly solely relies on the user behavior because there is no practical technical way to enforce the policy (either because the tools do not exist or because the company has chosen not to implement them: maybe they are to expensive, too complex, etc.).

• To prevent the users from bypassing current technical measures: security measures should help the users to respect the security policy, users should not see them as obstacles to bypass otherwise your global security will quickly get weaker.

Answer 2

Security awareness training should be part of your overall cybersecurity strategy, and I would consider it a security measure. Technology can only go so far. No matter what solutions are in place, they are unlikely to be 100% effective, 100% of the time.

Providing security awareness training is essential. Its so easy to assume that end users have a much better understanding of security that they actually have. MediaPro did a good survey on this - https://www.mediapro.com/blog/2016-state-privacy-security-awareness-report/ - although there are many others that have shown shocking levels of security awareness. End users will always be a weak point, but they need not be a liability.

I would also recommend blocking certain risky activities. For example, blocking certain attachments in email (exe, zip files), blocking file sharing websites etc. Users should have some freedom, but there is no need to take too many risks.

Answer 3

Is user-education a security measure in context of the given examples or do we have different names for these kind of measures?

User education in your examples is not the security measure. The security measure is either the technical control of stopping them do something (or enforcing they do something) and the administrative control of informing them of what they should or shouldn't do.

That said training/teaching your users on what to do is highly important. Some security researchers and professionals argue that humans are the weakest link as they do not always follow rules and often make irrational decisions. This is one of the main reasons technical controls are included to enforce the user to abide by an associated policy.

Bonus: Are there security guidelines or best practices on when to educate the user (warn) and when to block the user from doing specific things (like installing an app)?

These will vary based on what it is you are hoping to 'secure'. A good approach is to deploy a defence in depth approach, and by doing that you can mix different types of controls to protect your asset. In this case training would be an administrative control that warns users, and a technical control would be to block the installing of an app.

Answer 4

Education is a strong point of security. You would be surprised how many people are not aware that ads, applications, emails and other forms of communication can contain malware or security risks. Overall, raising awareness and concern that such actions are happening is a good start with any company group or user group you are working with/consulting. The measurements of security also strongly depend on your job and sensitivity of the information in question. If you are working with the publically available material, it is not much of a concern. But if your information is confidential, user freedom should be limited to minimal needs.

When it comes to guidelines, I am sure there are plenty of articles and research papers on what people should do to be much safer. And throughout years people have developed certain practices. As for the access, it is tough to decide when the user should or shouldn't access something. In your example, even chat platforms can become a danger, it all comes down to user awareness of his actions and potential threats out there.