Good vs Bad Security Awareness Training

Every corporate policy on security I have seen and most best practice guides demand an active security awareness training program.  I have never been a fan of the concept because it seemed like perfectly good money being wasted both in hard dollar terms (the cost of training material, posters, CBT, and teachers) and the soft but equally real costs (taking people away for from their jobs on an annual basis).

But it has been pointed out (by me) that most of what I do: public speaking, this blog, and my columns is actually security awareness training as I inveigle corporate leaders to pay more attention to the threats from cyber criminals, extortionists, and now spying nation states.

So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick.  It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks.  Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology.  Need to train people to change their passwords every three weeks? Just institute an Identity and Access Management solution that forces them to.  Need stronger passwords?  Go for one time tokens.

What kind of security awareness training do I like? I love training IT administrators and developers in hacking techniques. If they see how simple it is to break in or bypass applications they will institute better controls and write better code.  There are lots of hacker training classes.  I will compile a list and post it here. If you have a favorite class let me know either by email or leave a comment.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: 10 new UI features coming to Windows 10