Bad technical security
No user action should cause a devastating loss to an organization. For example, users should not have permission to install software on systems, and therefore ransomware should not be allowed to install on a system, if a user opens a malicious file. Storage devices should be encrypted, so a loss of the a necessarily creates a compromise. Web filters should stop people from visiting unsafe websites.
Poor technical security enables the inevitable user failing to become a serious incident. While better user awareness reduces the need for technical countermeasures to kick in, there must be defense in depth to prevent significant loss from non-technical, as well as technical, failings.
Focus on CBT and phishing
Computer-based training (CBT) is a single form of conveying information. It is not an awareness program to itself. People have different learning styles, and many people will not respond well to CBT. Consider how many people prefer reading a book to watching a movie. As important, even if people appreciate CBT, they might not appreciate the style of the CBT. Again consider that even if people prefer movies to books, some people prefer dramas to comedies. Some CBTs try to be informative. Some CBTs try to be comical. Some try to be scary. When you are looking at a large organization, you must consider that even well created CBT is only going to be effective in a minority of employees.
Phishing simulations, even assuming they are effective in reducing phishing incidents, only trains people in being less susceptible to phishing attacks. While that is a significant problem, it does nothing to help people with password security, physical security, safe web browsing, among countless other awareness topics.
I want to be clear that both CBT and phishing simulations can have a part in an effective awareness program, but they are only a part of an effective program.
Treating awareness as a casual activity
While treating awareness as a casual activity might be considered akin to a check the box mentality, some organizations do sincerely want to do more than check the box. They put pride into the CBTs that they choose. They might also put on some presentations. However, while there is the intent to do more than check the box, they still do not put in sufficient resources, and the awareness program is more of a hobby than a concerted effort to improve security behaviors. In short, the awareness program is more about activities, that while individually engaging, are disjointed and ineffective.
I previously wrote about the fact that security professionals assume users have a common sense with regard to most security issues. As I stated at the time, there can be no common sense without common knowledge. If you assume that users have more knowledge than they do, you will fail to address basic issues. For example, while it is true that most people know about the underlying principles of phishing, you cannot assume everyone does. Even when people know about phishing, you cannot assume the depth of their knowledge.
Sign up for CIO Asia eNewsletters.