Is Security Awareness Training Really Worth It?

  /     /     /  
Publicated : 22/11/2024   Category : security


Is Security Awareness Training Really Worth It?


Experts weigh in on the value of end-user security training, and how to make education more effective.



Download the entire new issue of InformationWeek Tech Digest
, distributed in an all-digital format (free registration required).
Nothing riles up information security professionals quicker than the question of how much to invest in security awareness training. Does it work? Is it worth the money?
There are three things you dont talk about in security: religion, politics, and security awareness training, says Jennifer Minella, VP of engineering with Carolina Advanced Digital and a member of the board for the International Information Systems Security Certifications Consortium, or (ISC)2.
Not that security training doesnt work. In the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling, the report found, as companies without security training for new hires reported average annual financial losses of $683,000, compared with companies with training that said average financial losses totaled $162,000.
Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organizations data. In (ISC)2s latest Global Information Security Workforce Study, adherence to security policy and training staff on security policy ranked No. 3 and No. 4 in effectively helping secure an organizations infrastructure.
But then there are high-profile security experts such as Bruce Schneier, CTO of Co3 Systems, whove argued that training is mostly a waste of time. Users arent information security experts and shouldnt be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.
The dividing line?
For most enterprises, its not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.
Its weird that we are saying, Dont click, to users, says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and its ITs job to create an environment with technical controls in place to protect them, he says.
The counterpoint is that users arent stupid and should share some responsibility in keeping their companies secure, Minella says. All employees, regardless of role or position, are expected to represent the companys strategic goals and behave accordingly at work, at home, and on social media.
Security is not siloed anymore, and everyone needs to work together on common business goals, she says.
Awareness, not responsibility?
The anti-training camp argues that the emphasis on security awareness training frequently means that users catch the blame when a data breach occurs. A number of recent major data breaches began with a spear-phishing email, and security departments sometimes blame the compromises on so-and-so clicking on the email rather than concede that the organization didnt have the right security defenses in place.
There is a difference between awareness and relying on training users to avoid the threats, says Anup Ghosh, CEO of security software firm Invincea.
If a company wants to protect sensitive intellectual property from corporate espionage, it acquires and configures firewalls and other defenses. But if the company is concerned about spear phishing, the answer is inevitably, We will train the users, which doesnt make any sense, Ghosh says. Spear phishing should not be treated as a problem with users, but rather as an attack on users requiring a technical response.
Read the rest of the story in the new issue of
InformationWeek Tech Digest (free registration required).

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Is Security Awareness Training Really Worth It?