Enable breadcrumbs token at /includes/pageheader.html.twig

Employees Are Not the Weakest Link in Cyber

A ready analogy is far more appropriate than people would realize.

I did it. We always hear it. And we all say it. People, humans, my employees, layer 8, the carbon layer—are the weakest link in cybersecurity.

Then I ran into a colleague speaking on cybersecurity/information assurance education at the FS-ISAC & BITS Annual Summit in Miami. And as we talked, and as she highlighted in her presentation, computer users are not the weakest link, as that conclusion is supported by an erroneous assumption.

According to my latest Google search, "[W]ith a cumulative market valued at $65.5 billion (2015–2020), the U.S. federal cybersecurity market will grow steadily at about 6.2% CAGR," according to market research media. Moreover, from another source, "[M]arketsandMarkets expects the global cybersecurity market to grow from $106.32 Billion in 2015 to $170.21 Billion by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8%."

Very scientific, I know. But then again, I'm a lawyer and not very good at math and statistics—that's why I became a lawyer; I just know how to take a third of anything.

So continuing with my laid-back statistics, 95 percent of all security incidents involve human error and 28 percent of cybersecurity incidents were blamed on current or former employees, contractors and other trusted parties. We spend about $650 million in security awareness training, and it is forecasted that the training field will grow at approximately 13 percent a year with the market potentially reaching $1 billion annually.

And this brings me to my colleague's point: humans are not the weakest link because we do not invest in securing them as we spend on other cybersecurity investments. I thought this was a great point, particularly because of my Defense Department operational legal background. For example, I worked at the department’s counterdrug command in the 1990s, and I saw firsthand how the U.S. government allocated its budget for enforcement and treatment. When I got involved, enforcement got the lion's share of the money. Yet over the years the majority of the studies indicated that if you invest in treatment and support to get folks off of drugs, the return on investment was much better spent than on simply enforcement.

So now that cybercrime has replaced the drug trade as the largest criminal money-making enterprise, let's look at this comparison. The cybersecurity trade is estimated at $106.32 billion, and we spend $1 billion on security awareness and training. So with my calculator that is … are you kidding me?

According to my analogy of enforcement versus treatment, in our efforts against drugs we spend $10.9 billion on prevention and treatment and $14.5 billion for enforcement, according to the White House. Yet for cybersecurity awareness—where we are all addicts of our technology—we spend less than 1 percent on education “and treatment.” And that education or training or whatever comes at us once a year at best, in an online format—and most people are going to cheat at that. People go to the end of the training, take educated guesses at the correct answers, write down the ones they get right and wrong and then keep re-taking the online test until they get their information assurance or cybersecurity training certificate and email it off to the information assurance, information technology or HR department.

So, agreeing with my colleague, until we decide to invest in securing the carbon layer at a level that is remotely being spent on other areas of cybersecurity, we should not be saying employees are the weakest link. They are the largest vulnerability because we do not spend money to educate or to change that. Moreover, we need to develop and invest in better security awareness education and training programs.

Dan Lohrmann, former CIO of the state of Michigan and now with Security Mentor, believes the company offers training through "highly engaging, interactive lessons." While I have not seen it, as it requires paying for this commercial product and I'm a poor government hack, I hope that it is—and that other cybersecurity awareness companies are—finding ways to break through corporate barriers to highlight the same thing we learned in the war on drugs. For every dollar spent on education and training, the return on investment will be worthwhile. I realize this takes people away from their job and makes them not productive to a company's bottom line, but this training, done correctly, seems to actually be able to save companies a lot of money in the long run.

Robert Clark is an Army Cyber Institute fellow for cyber law at West Point, the U.S. Military Academy.