We're missing out on the value of security awareness

When a program is ineffective, the problem is usually that the training wasn't designed in a way that would result in changes in behavior

Security awareness gets no respect.

It can be extremely valuable, if properly implemented. Too often, when it falls short, that is seen as a mark against security awareness programs themselves, instead of a problem with the implementation. And implementation is often a problem, because security awareness is usually taught by untrained people.

Earlier this year, I read an article in CSO saying that security awareness would never eliminate social-engineered security threats and therefore was a waste of time. I disagree with this point of view and responded with an article of my own, in which I touted the many success stories of security awareness campaigns and noted that it is folly to believe that any security measure is ever going to be 100% effective.

To continue reading this article register now