I was once called into a multinational oil company which wanted advice on a situation. One of their employees called them, because a coworker was displaying unusual behaviors. An investigation was performed, and it was learned that the coworker was giving information to a Chinese intelligence operative. At another company, an employee stopped a person from tailgating them into a facility and it turns out the tailgater was responsible for stealing more than a dozen laptops from company facilities.
While performing a penetration test at one company, the security manager told me I should take a long lunch at a very specific restaurant, and just listen to conversations. I learned of the company's marketing plans for a top product. Going to lunch at dozens of restaurants near the National Security Agency, an organization with extensive security awareness efforts, I can hear nothing of any significance.
During a firewall penetration test, a strictly technical penetration test, I received a call from a bank vice president telling me to stop my social engineering BS. I asked what the person was talking about, and was told that their people received a call asking details about the firewall, and replied that they needed the persons contact information and would get back to them, as their awareness training described, and the manager assumed that it must be part of my penetration test, which it wasn't.
It was a real attack, and they responded appropriately.
I can go on, and give dozens of examples of security awareness success stories, but everyone knows of such success stories. Frankly, everyone reading this article can likely point to countless personal stories of how their behavior saved them from being a victim of some attack.
First, let's stop and consider what security is. Dave Aitel's recent column "Why you shouldn't train employees for security awareness" gives the impression that every security measure should be 100 percent effective. Aitel even reinforces that concept in a response to one of the many comments criticizing the article.
In Aitel's own his comment, he notes:
"The only thing you really know about awareness training is that no matter how much you spend on it, one time out of ten it completely fails. The one person you want to be aware is, of course, your CSO, so he can institute security measures that make awareness a non-issue."
But every security measure, technical or otherwise, has and will fail again at some point in time. If you don't realize that, you really suck as a security professional. The definition of "security" is literally "freedom from risk." You will never be free from risk in the real world. What "security" professionals are actually performing is "risk management."
Sign up for CIO Asia eNewsletters.