A year of historic breaches from RSA, Epsilon and Lockheed Martin to the Sony PlayStation Network, demonstrates how ineffective the best security technologies can be when people are involved.
Many attackers today leverage the human factor, bypassing most security controls and using techniques such as social engineering to get the information they want, simply by luring users to open an email, click on a link or download an attachment.
Information security people think that simply making users aware of security issues will make them want to change their behavior. But security pros are learning the hard way that awareness rarely equals change.
A fundamental problem is that most awareness programs are created and run by security professionals -- people who were not hired or trained to be educators. These training sessions have traditionally consisted of long, monolithic lectures and boring slideware -- with no thought or research into what and how material should be taught. As a result, organizations are not getting the desired results and no overall progress can be tracked.
Bottom line, if companies fail to implement effective and engaging security awareness training, the latest phishing scam is just as likely to fool the same people, and government agencies will continue to remain at risk.
To solve the security training puzzle, it is important to step back and understand how people most effectively learn subject matter of any type. In other words, are there training keys to help get an attention deficit society to sit through something as potentially boring as security training?