Mike's random thoughts and ramblings

The Dismal Failure of Security Awareness Training

I recently got more than a little frustrated by the idea of "Awareness Training". I was talking with a co-worker about user awareness training, and he was telling me about his experience with it as a once-per-year, satisfy the regulatory requirements sort of thing that doesn't really have a whole lot of impact.

And, as often happens, I got irriated. Because we're better than this.

And it's costing us significant value in security - study after study shows that up to 80% of loss in enterprises happen because of things that users do. And I read articles like this one at Dark Reading:

"No matter how many times they train them, no matter how many classes they hold, most IT professionals still watch helplessly as end users introduce new malware because they "just couldn’t resist looking at the attachment." Security pros cringe as their users download software for personal use, turn off firewalls to speed up a connection, or leave their passwords stuck to their laptops."

Of course, there's always Amrit's thought on it: " training your staff... doesn’t work and never will - users are stupid"

And they're completely right. Because training doesn't work.

And, yet, we keep doing it over and over and over.

So, I asked the question that I usually ask myself when things go wrong: "Who else has solved a problem like this one, and how did they do it?"

And, since I usually think in powerpoint documents (I blame Tom Peters for the habit), the result was this set of slides.

How would this change user awareness training? And how much better could we make it?

Share this post

About the author

Michael Murray

Michael Murray