It’s become one of the great debates within information security: Do information security awareness programs actually work? The naysayers believe training workers to be more security conscious is tantamount to throwing away money because users neither are incentivized enough to care, nor advanced enough to recognize today’s sophisticated attacks. Not to mention, it only takes one foolhardy employee to spawn a potential compromise (or none if they surf upon a drive-by-download website).
On the other hand, supporters argue that a majority of security incidents can be traced back to a single employee, thus making workers an organization’s weakest link. Awareness training is a reliable way to stymie the insider threat and alter user behaviors. It’s not a silver bullet, but it will help reduce organizational risk, which – after all – should always be the goal of security defenses.
No matter which side your allegiance lies with, the reality is that most regulations and requirements mandate that you implement a security education program. Thus, it’s in your best interest to make the most of it. That starts with thinking of it less as a compliance checkbox exercise and more as a pathway to improved security and reduced risk.