It is often said that security awareness is one of the most effective methods for reducing risk and improving an organisation's security posture.
My personal opinion is that security awareness may be a dated approach/concept.
Firstly, because it is often a cheap and easy measure for senior decision makers to implement to convince themselves things will be OK without having to do or invest much in security.
Secondly, it assumes that end-users are already unaware or un-enlightened to security concerns. A premise which I would certainly challenge from having worked in this industry for the last 15 years.
The vast majority of end-users are increasingly more aware of the basic security principles especially in the current technology culture that floods our media, homes and daily lives.
We cannot relax our technical security deep-dive expertise and effort just because we think we deliver good corporate security awareness. Did high profile technology and security companies like RSA, GlobalSign, DigiNotar, Sony, Yahoo, Linkedin etc, not have good security awareness when they got compromised? I'm sure they did.
The truth is that attacks are increasingly getting more sophisticated that they will inevitably go beyond any awareness training we typically experience in a corporate environment.
We need to keep focused on deep-dive technical security, by securing the networks, the applications, the platforms and the systems development process. We need to do the hard work necessary to safeguard the organisation and not rely on the easy and cheap approach.
I absolutely, love this article by Dave Aitel "Why you shouldn't train employees for security awareness"