However, the other side to that argument comes from Ira Winkler:
"The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses...
"The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?"
Awareness programs are not a replacement for solid security infrastructure and policies. Nor are they a replacement for response and incident handling. They can't be. The only thing awareness does is increase the odds of recovery, and increase response times should an incident occur.
While training employees to act as monitors for Phishing attacks or emails with malicious attachments is helpful, that doesn't mean such campaigns won't be successful. However it does mean that the security team may know about the problem sooner, and that could be the difference between preventing a disaster — or suffering through one.
One of the main steps to building a good security awareness program is to separate it from security training. Security awareness is not the same as security training when it comes to employees.
Security training serves to offer a structured set of rules, which is what most auditors will look for when assessing compliance. Security awareness, on the other hand, aims to modify behavior. If done right, the company's employees will become an extension of the existing security program. However, while security training can be done annually, awareness programs are a continuous process.
A living proof of concept:
Amanda Berlin works in security for a medium-sized healthcare organization in the Midwest. Over the last few months, she has created an effective awareness program almost out of thin air.
Her organization didn't have the resources to pay for external awareness development and training, but it was needed, so they had to go it alone. It's taken some time, but her efforts have resulted in a program that benefits the company, keeps the staff engaged in security related topics, and has little to no impact to the bottom line.
"So we knew the weakest element in our security were people," Berlin said in an interview with CSO.
"That's probably the weakest part of any organization. You can have IDS / IPS, massive email filtering, but stuff is still going to get through and [criminals] are still going pretext."
Sign up for CIO Asia eNewsletters.