There’s been a lot of discussion in recent weeks about whether security awareness is effective at all. Dave Aitel and Bruce Schneier have argued that security awareness is a waste of time and money. Manypeopledisagree.
I think Aitel and Schneier would be correct if they clarified their position to say that bad security awareness programs are not effective. Many security awareness programs involve going to an all day class, or reading a wall of text, or just watching a video. These approaches tend to be boring, not contextualized, and offer no opportunity to practice needed skills.
Furthermore, a lot of the threats organizations are facing today deal with the human element. In 2011, Microsoft’s Security Intelligence Report found that close to 45% of malware required some kind of user interaction, and another 26% propagated from USB keys. This means that if people had basic awareness and training about malware, we could avoid 71% of malware out there.
More and more security problems are due to the human element, and effective training of employees is an essential ingredient to defense in depth. Not having a security awareness program is a risk that just isn’t worth taking.