The claim that security awareness trainings are not working is, in my opinion, a claim based on wrong assumptions. It also shows a clear lack of understanding of the inner workings of the human mind, and a total lack of respect for your co-workers.
If all you focus on is technology, code and cryptology, and you have very little real interaction with people, I can understand where you are coming from. It takes more than code to decrypt the subtleness of human interaction.
Last year, at the RSA Europe Conference in London, I was part of a panel discussing security awareness training. The panel consisted of two sides - for and against security awareness training. I happened to be speaking on behalf of security awareness training, and our team had an easy “victory”, simply because it is not possible to provide clear and consistent evidence that training is not working.
How, a few months later, a different panel at RSA Conference 2013 can reach the opposite conclusion, is lost on me.
There is plenty of evidence that suggest that training people works, and works well in most cases. Education and training is not perfect, and there are many cases where results are not as good as it was expected. But that is not the same as claiming security awareness training is a waste of time and resources. It may be an argument for adjusting your expectations instead.
My main point at the panel was that if you do it wrong, you should not expect great results. And thus, you should not be complaining. The challenge is that even if you do it right, it can be hard to document effect, and to show a clear causation between your training efforts and the behavior change. This is not unique to security awareness training, this is true of any training and development efforts in your organization and society.
We don’t stop training people just because it is hard to show how well it works. We start measuring by creating a baseline, defining a clear goal, and tracking our progress. If we are not moving in the right direction, we adjust the course.
I have learned that most infosec professionals excel at their technical skills, their risk management models and their policy making.
Some infosec pros claim that the only way to train your co-workers about security awareness is to hit them with a bat. When I hear them say something like that, I realize they have no clue about interpersonal skills, personality traits, motivational theory, or much else.
Except, I hope, security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.