Security professionals are supposed to design and implement security programs that cost effectively mitigate risk. Period. Not completely prevent risk, but mitigate the risk. You will have losses, but your goal is to control the losses in a reasonable manner.
The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses. But Aitel uses a 2004 example as proof of his opinion, where after a four-hour training session - of which nobody is sure of the quality of that training - there was still a 90 percent success rate for phishing attacks.
That literally proves nothing.
Clearly awareness techniques have improved, but even so, the question posed should be: "Is what the cost savings was for the 10 percent reduction in successful attacks compared to the cost of the training program?" And this is just the tip of the weaknesses of his using this example.
The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?
Then there is the fundamental concept that the I in IT stands for INFORMATION, not computers. The acronym CISO stands for Chief INFORMATION Security Officer, not Chief Network Security Officer. Aitel's article and recommended countermeasures, in lieu of awareness training, fail to recognize that information exists off of a computer network. Using the previous mentioned quote there is no technology that will prevent the human mishandling of paper information and computer media. Yes, media can be encrypted, but the cost of trying to find loss media, even if it is eventually found, can be enormous, drain resources and result in a public embarrassment. The return on investment for a security awareness program of this form can be huge, even if it prevents a single incident.
But the biggest issue is perhaps that security awareness efforts are frequently not optional. Any good security practitioner realizes that their clients have to adhere to a variety of compliance standards, with a variety of interpretations. Awareness programs are required or implied by standards including PCI and HIPAA. Telling people not to do something, because the pontificator believes it is a bad idea is just not an option, even if the guidance is reasonable.
So just to summarize, the fundamental issues of security include but are not limited to no security measure is perfect, awareness mitigates non-technical issues that technology can't, that CISOs and other security managers are responsible for protecting information in all forms, and that in many cases awareness programs are not optional. The fact of the matter is that no security measure should be measured by the standard of perfection. The real standard is return on investment. By that standard, you will find that security awareness is one of the most reliable security measures available.
Sign up for CIO Asia eNewsletters.