The fundamental issue is that we see IT related user errors that are now causing millions of dollars of damage. In return, we do not see a similar scope of effort to reduce those errors. We see security programs begrudgingly buy subscriptions for videos or acquire phishing services with the appearance that this is the appropriate business response.
I want to be clear that I am not downplaying the potential of CBT and phishing services as a part of a good awareness program. However, these efforts are clearly not first performing a good proactive study into why the errors occurred in the first place and what are the best methods to address the reason for those errors.
Until CISOs and the IT community as a whole recognizes that user error is an expected part of the business process, and that these errors are costly and deserve the respect that human error gets in every other discipline associated with the business, security awareness programs will have massive failures and user error will continue to be costly. IT professionals seem to believe that user error is unique to our community, and just telling users not to do something will work. That does not work in any other discipline. Until CSOs, CISOs and other executives realize this, and promote this issue to their management, losses associated with user error will only continue to increase. It is time to accept this fact.
Sign up for CIO Asia eNewsletters.