I'm often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong.
1. Training does not work
I often hear people say: "Awareness does not work. I have never seen an awareness program actually change people's behavior."
To be honest, I have to agree with this statement. Most awareness programs in the past have failed to change behavior. However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested.
These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter.
For an awareness program to effectively change behavior, you need to create a program that is designed from the ground up to change behavior.
2. It's not worth it because someone will still mess up
People tell me that awareness is a failure; that no matter how much you train people, there is always a small group of people that will still fall victim. Folks, security is all about reducing risk, not eliminating it.
Awareness is nothing more than another security control. Why people hold awareness to a different standard is something I'll never understand. Awareness is no different than encryption, firewalls or intrusion detection. However, with awareness, you can get a tremendous return on your investment, in many cases reducing up to 95 percent of the human risk, according to measurements taken in phishing tests. Show me any other control that will get you that type of ROI.
3. People already know what to do
I've read interesting reports from academics that say people already know what secure behaviors to follow, they just choose not to follow them.
Wow, where are these people getting their data? With the organizations I work with, not only do people usually have no idea what secure behaviors they should follow, but they are also hungry to learn. They know there are bad guys online, but they don't know what to do to protect themselves from them. The problem is not the people. The problem is that we are not effectively training them. What is the number-one thing that, in my experience, people did not know? They had no idea that keeping operating systems and applications current was critical to keeping their computers and mobile devices secure.
4. It's all about prevention
When people discuss awareness, they usually focus on just prevention --they're trying to implement the idea of the "human firewall." While prevention is important, why limit ourselves? Why not train people to become human sensors as well?
Sign up for CIO Asia eNewsletters.