As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing.
I have to admit that it is frustrating to have to argue with people who claim that awareness is always bad. They argue that since there will always be a single failing, then it is not worth the effort to have an awareness program in the first place. Of course, I vehemently disagree. However to debate people, and address their points, at least in the eyes of decision makers, you need to understand the foundation of their arguments and accept the premises that are true.
Three years ago, I wrote a similar article on awareness programs failings. In the last three years, I have reviewed dozens of other programs, investigated incidents, watched vendor marketing campaigns, listened to the hype, and heard about thousands of data breaches. While I try to refrain from repeating the same points, there may be some repetition, but there is refinement. I intend to bring about the points that are most relevant to the current state of what is an apparent poor state of awareness.
To continue reading this article register now