Is Security Awareness as Effective as We Imagine?

Tuesday, July 24, 2012

Hani Banayoti

3071bd3c5c013c8c3defcccad0259c16

It is often said that security awareness is one of the most effective methods for reducing risk and improving an organisation's security posture.  

My personal opinion is that security awareness may be a dated approach/concept.  

Firstly, because it is often a cheap and easy measure for senior decision makers to implement to convince themselves things will be OK without having to do or invest much in security.  

Secondly, it assumes  that end-users are already unaware or un-enlightened to security concerns.  A premise which I would certainly challenge from having worked in this industry for the last 15 years.  

The vast majority of end-users are increasingly more aware of the basic security principles especially in the current technology culture that floods our media, homes and daily lives.  

We cannot relax our technical security deep-dive expertise and effort just because we think we deliver good corporate security awareness.  Did high profile technology and security companies like RSA, GlobalSign, DigiNotar, Sony, Yahoo, Linkedin etc, not have good security awareness when they got compromised?  I'm sure they did.  

The truth is that attacks are increasingly getting more sophisticated that they will inevitably go beyond any awareness training we typically experience in a corporate environment.  

We need to keep focused on deep-dive technical security, by securing the networks, the applications, the platforms and the systems development process.  We need to do the hard work necessary to safeguard the organisation and not rely on the easy and cheap approach.

I absolutely, love this article by Dave Aitel "Why you shouldn't train employees for security awareness"

Possibly Related Articles:
7540
Security Awareness
Information Security
Enterprise Security Security Awareness Best Practices Training Network Security Employees Dave Aitel
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.