Dansk English

The awareness myth

Awareness myten

Some salesperson calls you: "The most significant attack vector is email, as Im sure you know. So educating your users to not click those malicious links, is the most important security intiative you can take."
En sælger ringer til dig: "Som du sikkert ved, er email den væsentligste angrebsvektor. Så det vigtigste sikkerhedstiltag du kan tage, er at uddanne dine brugere til ikke at klikke på de ondsindede links."
That guy in your professional network, he is responsible for GRC in a large financial company, says: "Awareness will not catch a 100% of the phishing mails, more like maybe 70-90%. But technical solutions like firewalls, spam filters and so on, do not catch 100% either. Each layer provides some level of security. Awareness is just another layer. Add it to the technical solutions, and you get a much better protection."
Ham fyren i dit professionelle netværk, han er GRC ansvarlig i en stor financiel virksomhed, siger: "Awareness fanger ikke 100% af phishing mailene, nok nærmere 70-90%. Men tekniske løsninger som firewalls, spamfiltre og så videre, fanger heller ikke 100%. Hvert lag bidrager med en vis sikkerhed. Awareness er bare endnu et lag. Læg det sammen med de tekniske løsninger, og du får en meget bedre beskyttelse."
Reading up on some security compliance standard: "Organisations cant rely on spam filters to block phishing attacks, because cyber criminals are constantly finding ways to circumvent them. They must instead teach employees how to spot phishing emails and regularly remind them of these lessons. Your employees are the first line of defence, and it is essential to equip and empower them with the right tools and mindset."
Du læser op på en sikkerheds compliance standard: "Organisationer kan ikke basere sig på spamfiltre for at stoppe phishing angreb, fordi cyberkriminelle hele tiden finder måder at omgå dem på. Istedet må de lære medarbejderne hvordan de gennemskuer phishing mails og jævnligt minde dem om dette. Dine medarbejdere er første forsvarslinje, og det er essentielt at udstyre og kvalificere dem med de rette værktøjer og den rette indstilling."

There is a clear consensus that awareness improves your security, but it is wrong. I will try to explain...

Der er en klar konsensus om at awareness højner din sikkerhed, men den er forkert. Jeg vil prøve at forklare...

Conjunctive security

Konjunktiv sikkerhed

The most compelling argument is by that guy in the network (the second example above). He points out, correctly, that you should use multiple layers of security. Each should work differently, so that they can catch what slipped through previous layers.

Det mest overbevisende argument kommer fra ham i netværket (nummer to eksempel ovenfor). Han peger, helt korrekt, på at man skal have flere lag af sikkerhed. Hvert af dem skal virke forskelligt, så de kan fange hvad der slap gennem et tidligere lag.

A simple illustrative example:

Et simpelt illustrativt eksempel:

disjunctive security setup disjunktivt sikkerheds setup

As you can see each layer in itself is poor protection, but together they stop an amazing 99%.

Som man kan se er hvert lag i sig selv en sølle beskyttelse, men sammen stopper de hele 99%.

Note that this is a simple model. Reality is more complex. But the model shows quite well how it works.

Bemærk at dette er en simpel model. Virkeligheden er mere kompleks. Men modellen viser meget godt hvordan det virker.

But it appears to show that it is a good idea to add an "awareness layer", though. How well will that work? Let us look into that.

Men den synes dog at vise at det er en god idé at tilføje et "awareness lag". Hvor godt vil det virke? Lad os se nærmere på det.

First let us see how we can model an awareness layer. The protection here lies on the individual users. Installed in human brains, so to speak. Each of them working in their own ways, with their own strengths and weaknesses. Each with their way to be tricked.

Lad os først se hvordan vi kan modellere et awareness lag. Beskyttelsen her ligger på de enkelte brugere. Installeret i menneskehjerner, så at sige. Hver af dem virker på deres egen måde, med deres egne styrker og svagheder. Hver med deres måde at blive snydt på.

To cut through the complexity we can say that a user catches a phishing mail with some probability. In the big picture this should be accurate. The probabilities can vary from user to user, and two users catches phishing mails independently of each other. If you have studied statistics, you could say that the users can be represented by independent stochastic variables. Each with the outcomes {STOP , CONTINUE}.

For at skære gennem kompleksiteten kan vi sige at en bruger fanger en phishing mail med en eller anden sandsynlighed. På de store linjer skal det nok passe. Sandsynlighederne kan godt variere fra bruger til bruger, og to brugere fanger phishing mails uafhængigt af hinanden. Har man læst statistik kan man sige at brugerne kan repræsenteres med uafhængige stokastiske variable. Hver med udfaldene {STOP , FORTSÆT}.

A phishing mail gets through the awareness layer if one of the users (variables) dont say STOP.

En phishing mail slipper gennem awareness laget hvis en af brugerne (variablene) ikke siger STOP.

But what probabilities should we assign? A phishing test can give the answer to that. It shows how many users clicked the link in the test mail, or opened the attachment. If it is only 10% you should be happy. That is a very low number.

Men hvilke sandsynligheder skal vi regne med? Det kan en phishing test give svaret på. Den viser hvor mange brugere der klikkede på linket i testmailen, eller åbnede vedhæftningen. Hvis det kun er 10% skal man være glad. Det er et meget lavt tal.

Whith that we now have a sufficient model for an awareness layer.

Med det har vi nu en god nok model for et awareness lag.

Phishing campaigns usually targets many users in one attack. In a large company it is routine to receive hundreds of phishing mails in a single attack.

Phishing angreb går normalt efter mange brugere i et angreb. I en stor virksomhed er det rutine at modtage hundreder af phishing mails i et enkelt angreb.

conjunctive security konjunktiv sikkerhed

Even with the high protection level of 90%, that awareness might provide with a single user, it quickly evaporates as the attack scales. Its 81% with two users, 35% with 10 and 0.5% with 50... The awareness layer fails if one of its parts fails. It is a conjunctive system.

Selv med den høje beskyttelse på 90%, som awareness vil kunne give for en enkelt bruger, fordamper den hurtigt som angrebet skalerer. Den er 81% med to brugere, 35% med 10 og 0.5% med 50... Awareness laget fejler hvis en af dets dele fejler. Det er et konjunktivt system.

There is one more argument.

Der er endnu et argument.

The generation of phishing mail content has seen a large technological step forward.

Genereringen af phishing mail indhold har teknisk taget et stort skridt fremad.

Back in the 2010s it was realistic to spot phishing mails. They were clearly made by low-skilled people whose primary language was not that in the mails. So the mails always contained obvious errors, especially language errors, and they often contained very hamfisted demands that you clicked the link or open the attachment.

Tilbage i 2010erne var det realistisk at gennemskue phishing mails. De blev tydeligvis lavet af folk med få talenter hvis modersmål ikke var det i mailene. Så de indeholdt altid åbenlyse fejl, især sproglige fejl, og de indeholdt ofte meget klodsede krav om at du klikkede på linket eller åbnede vedhæftningen.

This has changed. Possibly due to LLM translation and text generation. Possibly because phishing has become more business like. The mails look legit now. They will fool almost all of us. We can only hope to spot the low effort ones.

Det har ændret sig. Muligvis på grund af LLM oversættelse og tekst generering. Muligvis fordi phishing er blevet mere forretningspræget. Mailene ser rigtige ud nu. De vil narre de fleste af os. Vi kan kun håbe på at gennemskue de simple af dem.

What then?

Hvad så?

Give up? No, but use your resources where it matters. Only do awareness training if you have to meet some compliance requirements, or if there are cultural problems around security.

Give op? Nej, men brug dine resurser hvor det batter. Lav kun awareness træning hvis du skal opfylde nogle compliance krav, eller hvis der er kulturelle problemer omkring sikkerhed.

Should users stop caring? No, they should still try to figure out when they are tricked. But be sure they will be tricked. Build your security on that, not on a fantasy.

Skal brugerne være ligeglade? Nej, de skal stadig prøve at regne ud om de bliver snydt. Og det kan du være sikker på de bliver. Byg din sikkerhed på det, ikke på en fantasi.

PS Note that all this was about phishing awareness, which is the common understanding of the concept of awareness. But there are other kinds of awareness, and some of them actually do make sense.

PS Bemærk at alt dette handlede om phishing awareness, hvilket er den almindelige forståelse af begrebet awareness. Men der findes andre slags awareness, og nogle af dem giver faktisk mening.

Made by a human Licenses RSS feed
Made by a human Licenser RSS feed