playing devils advocate with security awareness training

Via New School of Information Security, I wandered over to a surprisingly hotly debated article on CSOOnline from Dave Aitel, “Why you shouldn’t train employees for security awareness”. Really, what the headline should be is, “Why the dollars spend on security training are better spent on something else.” Heading over to the article, I already knew there was some debate going on, but I was a bit shocked at the comments. (Truth be told, very few of the detractors had any decent point to their comments…)

Especially since Dave has a point.

No, he’s not completely correct, but he makes a point; the sort of point that requires hyperbole to make it, ya know? (strictly speaking, I don’t actually see where Dave’s points echo exactly the sensational headline CSOOnline decided to give him, though I can see where one will take the 1/4 step to connect to the dots…)

Too many people lean very heavily on security awareness activities; essentially saying we’ll be more secure if people make smarter choices. This makes sense, but the reality is rarely quite so nice. People still make mistakes. *I* still make mistakes, and *I* should know better. People may willingly make mistakes. I’d much prefer my business dollars spent in a way that I have a technological safety net under me.

Security awareness is useful when you don’t think the whole purpose is to improve your security by a palpable amount due to your training. Security training helps the rest of the business understand why you have security policies. Give the ones who care some knowledge to make better (not correct, but at least better) decisions. Prepares them for when you have to investigate something, offer an opinion, review something, or otherwise finger the brakes of reckless progress. Among other political and soft reasons…

In the end, I agree with people who feel that you should have a mix of security awareness and technological controls, but still trust the technological controls more. I’ve probably said that for a decade now, and there’s nothing that has moved me from that stance. Awareness yes, but rely on those technological controls more.

Oh, and I do “get” the problem of expecting perfection otherwise something is useless. I think that’s an unfortunate extreme position that Dave *mostly* walked into. Because a few attacks still work, doesn’t mean awareness is worthless. But we may be able to have technological controls enough to mitigate, if not outright stop, the mistakes that happen. That’s where we talk about “defense in depth” and doing various things to help limit risk/damage…