The unfairness of cyber awareness

elevenM Principal Arjun Ramachandran explores why cyber awareness matters, despite the prevalence of seemingly unstoppable sophisticated cyber-attacks.



“Deserve got nuthin’ to do with it. It’s his time, that’s all.”
– Snoop, The Wire.

We want to believe our behaviours solely determine the outcomes we get. But it’s not always the case, especially in the complex cyber realm.

The brilliant US drama The Wire made an artform of summing up life’s hard truths in pithy one-liners, delivered in the language of the street. In Season 5, drug gang member Snoop is asked by a junior gang member whether a target really “deserves” to be “hit”. Her response (above) lays bare the unfairness at the heart of the adversarial drug war.

Cyber security too, ain’t always fair. The existence of a committed, human adversary is a significant and differentiating feature of cyber risk that those of us involved in the field should keep in mind.

Especially in the areas of security training and education. We often seek inspiration from areas like public health, where highly-acclaimed campaigns have raised awareness of the risks of smoking and sun cancer, driving down public exposure to these activities and vastly reducing the incidence of bad outcomes.

But these areas don’t have a human adversary. In cyber, for all of our awareness and reduction of risky behaviours, it remains the case that a determined, highly-sophisticated attacker could still get at a company’s crown jewels by persistently probing for small areas or moments of weakness.

The attack on the Australian National University is a shining example, recently and evocatively labelled a “diamond heist” by its vice-chancellor, rather than a “smash and grab”.

“It was an extremely sophisticated operation, most likely carried out by a team of between five to 15 people working around the clock”. – ANU vice-chancellor Brian Schmidt

While it may be true that a well-educated and aware workforce might not “deserve” to get hacked, Snoop’s street wisdom and the ANU hack suggest that increasing the awareness of end users may still not be enough to prevent the most sophisticated attacks, such as those by highly-skilled state-sponsored attackers.

And awareness on its own stands to be defeated. The UK’s National Cyber Security Centre points out that people-focused activities such as education must come with technical controls, as part of a multi-layered approach. That’s a sentiment recently echoed by the Australian Government.

“But like all other forms of security, awareness is a complement to, not replacement for, the availability of secure features. For example, drivers are provided with a seat belt in addition to education about the importance of road safety and incentives to use the seat belt. And the same expectations and requirements we have where safety is paramount should apply in cyberspace” – Australia’s 2020 Cyber Security Strategy – A call for views

But we also can’t throw the baby out with the bath water.

In our travels, we occasionally come across a certain bluntness or defeatism about cyber awareness. Because of the success of and attention given to state-sponsored attacks, education and awareness is labelled “ineffective”, technical controls are deemed all that matter.

In our view this is a severe over-correction.

It pays to remember that there exists a broad swathe of attackers – not every attacker coming for a small business (or even an enterprise) is bankrolled by a rogue state and has access to an arsenal of zero-day exploits.  

In fact, many are commercially-motivated cybercriminals of varying levels of ability, plying their trade using commodity tools purchased off underground marketplaces. They can be as sensitive to cost pressures as the CEO of a cash-poor business. Anything that makes it harder (ie costlier) to achieve their goals may be enough to deter these actors to move on to another easier, more cost-effective target.

One of the ways we help businesses do this – such as through our recently developed learning packages – is by raising employees’ awareness to the risks and also providing actionable advice on how they can make the average cyber attacker’s life that little bit more frustrating. Maybe a stronger password, or a healthier skepticism to dubious emails will do the trick.

While technical controls might overtake end-user awareness as the best response to a specific cyber threat (eg. some now argue multi-factor authentication should be prioritised as a response to phishing), when that happens an effective awareness program can re-deploy the fruitful conversation it has established with staff to the next evolving area of risk (for eg. how staff use cloud services).

In this way, over the long term awareness activities also continually embed a sense of responsibility and ownership in a workforce, acting as a precursor to and an enabler of a secure culture.