the value of security awareness training

You may have seen this article which has been getting a lot of discussion:

Why You Shouldn’t Train Employees for Security Awareness

Pardon me for a moment while I speak my mind: WHAT A LOAD OF CRAP! The people who believe a specific tool is the answer are the people who sell tools.

No security measure is 100% effective. But just because a security measure is not completely successful does not mean it is completely useless. Security is all about “defense in depth.” I have recently done some security awareness training at my company and from the conversations that followed I can tell it did some good. Does it guarantee we might not have a problem in the future? Of course not. Do I feel better about the risks we face now? Absolutely!

This blog is predicated on the idea that there is a bug between the keyboard and the chair (i.e. the human). Fixing the human bug is not the only part, but it is a big part of fixing computer security.

Some exploits attack, some are invited in. Remember the Trojan Horse? A perimeter can only stop the attacks that have no insider assistance.  Dracula could not enter your house unless invited. Renfield invited him. Security awareness is teaching Renfield not to invite Dracula into the house. He may still get in another way, but at least he won’t get in the easiest way!

No security tool can prevent bad choices, only knowledge and good judgement can do that. To rely only on the tool and not on the judgement, is to eat bugs and invite Dracula to just come on in and bite everyone in the house.


Comments are closed.

%d bloggers like this: