Several months ago I was listening to episode 300 of the PaulDotCom security podcast and I actually had my first exposure to someone arguing against security awareness in the panel titled "End User Security Awareness Training Hot or Not?" Prior to hearing this debate, the answer was obvious to me, and generally across most of the industry, that of course security awareness training was absolutely needed. No questions asked... But in the panel on the podcast I was quite taken aback by the excellent points several of the panelists made against blindly accepting this type of training.
More recently Dark Reading played out this discussion with an article by Bruce Schneier and a counterpoint by Ira Winkler. Bruce generally took the stand against security awareness training, arguing that we should instead be designing systems for people who make poor security decisions. Ira countered that point using a risk assessment-based approach, saying the list of controls to consider should include awareness training. In some cases the security training might reduce risk enough to consider ... and in others it might not.
I like articles like these … they question the obvious and make us think much deeper rather than just indiscriminately accepting the norm. Yeah ... you can argue the intricacies of definitions, assumptions, points, and counterpoints but in the end we all benefit with a better understanding of the "why."
Personally, I lean more towards Ira's risk-based position. He is not saying that security awareness/training is or isn't necessary … just the famous infosec response - "It depends." In some cases security awareness training could make a big impact and significantly reduce the risk to an organization. In other instances this training could just be a waste of resources.
Most organizations probably fall someone in between these two extremes. In these situations organizations should proportionately allocate resources to the controls that best reduce their risk. It's up for each organization to monitor their threats and weaknesses and use the appropriate set of controls to minimize their risk to an acceptable level. Perhaps security awareness is part of that ... perhaps it is not.
So in the end there is no right or wrong … there's just what is best for each individual organization. Now, I'd like to see someone argue that. ;)
What is your stance on security awareness training? Let us know in the comments below.
Cross posted from NovaInfosec.com