I recently got more than a little frustrated by the idea of "Awareness Training". I was talking with a co-worker about user awareness training, and he was telling me about his experience with it as a once-per-year, satisfy the regulatory requirements sort of thing that doesn't really have a whole lot of impact.
And, as often happens, I got irriated. Because we're better than this.
And it's costing us significant value in security - study after study shows that up to 80% of loss in enterprises happen because of things that users do. And I read articles like this one at Dark Reading:
"No matter how many times they train them, no matter how many classes they hold, most IT professionals still watch helplessly as end users introduce new malware because they "just couldnâ€™t resist looking at the attachment." Security pros cringe as their users download software for personal use, turn off firewalls to speed up a connection, or leave their passwords stuck to their laptops."
Of course, there's always Amrit's thought on it: " training your staff... doesnâ€™t work and never will - users are stupid"
And they're completely right. Because training doesn't work.
And, yet, we keep doing it over and over and over.
So, I asked the question that I usually ask myself when things go wrong: "Who else has solved a problem like this one, and how did they do it?"
How would this change user awareness training? And how much better could we make it?