We're missing out on the value of security awareness

When a program is ineffective, the problem is usually that the training wasn't designed in a way that would result in changes in behavior

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Security awareness gets no respect.

It can be extremely valuable, if properly implemented. Too often, when it falls short, that is seen as a mark against security awareness programs themselves, instead of a problem with the implementation. And implementation is often a problem, because security awareness is usually taught by untrained people.

Earlier this year, I read an article in CSO saying that security awareness would never eliminate social-engineered security threats and therefore was a waste of time. I disagree with this point of view and responded with an article of my own, in which I touted the many success stories of security awareness campaigns and noted that it is folly to believe that any security measure is ever going to be 100% effective.

The fact is, security awareness can provide the greatest return on investment of any security countermeasure.

"OK," says the opposition to this viewpoint, "but attacks that target people seem to be proliferating faster than ever. Isn't that evidence that security awareness training has been a failure?"

In a word, no. The fact is that all attacks are proliferating faster than ever. There is nothing special about a rise in social-engineered attacks. But that doesn't mean that security awareness can't be improved to decrease the number of attacks that are successful.

To continue reading this article register now

5 collaboration tools that enhance Microsoft Office
  
Shop Tech Products at Amazon