Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

01:30 PM
Fahmida Y. Rashid
Fahmida Y. Rashid

Is Security Awareness Training Really Worth It?

Experts weigh in on the value of end-user security training, and how to make education more effective.

Download the entire new issue of InformationWeek Tech Digest, distributed in an all-digital format (free registration required).

Nothing riles up information security professionals quicker than the question of how much to invest in security awareness training. Does it work? Is it worth the money?

"There are three things you don't talk about in security: religion, politics, and security awareness training," says Jennifer Minella, VP of engineering with Carolina Advanced Digital and a member of the board for the International Information Systems Security Certifications Consortium, or (ISC)2.

Not that security training doesn't work. In the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling, the report found, as companies without security training for new hires reported average annual financial losses of $683,000, compared with companies with training that said average financial losses totaled $162,000.

Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organization's data. In (ISC)2's latest Global Information Security Workforce Study, adherence to security policy and training staff on security policy ranked No. 3 and No. 4 in effectively helping secure an organization's infrastructure.

But then there are high-profile security experts such as Bruce Schneier, CTO of Co3 Systems, who've argued that training is mostly a waste of time. Users aren't information security experts and shouldn't be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.

The dividing line?

For most enterprises, it's not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.

"It's weird that we are saying, 'Don't click,' to users," says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them, he says.

The counterpoint is that users aren't stupid and should share some responsibility in keeping their companies' secure, Minella says. All employees, regardless of role or position, are expected to represent the company's strategic goals and behave accordingly at work, at home, and on social media.

"Security is not siloed anymore, and everyone needs to work together on common business goals," she says.

Awareness, not responsibility?

The anti-training camp argues that the emphasis on security awareness training frequently means that users catch the blame when a data breach occurs. A number of recent major data breaches began with a spear-phishing email, and security departments sometimes blame the compromises on "so-and-so clicking on the email" rather than concede that the organization didn't have the right security defenses in place.

"There is a difference between awareness and relying on training users to avoid the threats," says Anup Ghosh, CEO of security software firm Invincea.

If a company wants to protect sensitive intellectual property from corporate espionage, it acquires and configures firewalls and other defenses. But if the company is concerned about spear phishing, the answer is inevitably, "'We will train the users,' which doesn't make any sense," Ghosh says. Spear phishing should not be treated as a problem with users, but rather as an attack on users requiring a technical response.

Read the rest of the story in the new issue of
InformationWeek Tech Digest (free registration required).

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Thunder Cat
Thunder Cat,
User Rank: Apprentice
2/7/2017 | 10:42:03 AM
There are a bunch of organizations that focus on employee awareness training. They vary from do it yourself to fully managed. If anyone is curious here are some of the most popular ones;
  • PeopleSec
  • Wombat     
  • Knowbe4   
  • PhishMe    

User Rank: Apprentice
11/29/2016 | 9:08:27 AM
Secuirty is a shared responsibility
I agree with everyone who has commented on the subject. Security against cyberattacks and other digital risks is a shared responsibility by all employees within the organization.

As businesses move their shops to the internet and start to do transactions online, security becomes a responsibility of everyone in the organization. In the case of our company, we had our employees undergo online digital awareness training under Career Academy to further improve their awareness of the risks of cyberattacks. The added knowledge increases our confidence in minimizing opportunities for external threats to infiltrate our online shop.

Kudos to the author.
User Rank: Strategist
11/20/2014 | 6:04:35 PM
Re: EVERYONE must be part of the solution.
@aws0513 - I love the quote!  I love the book.  So many truths you can apply to life in general.

My husband takes issue with locking doors (he grew up in rural Pennsylvania) because of an old folk tale his dad told him about "Indians" attacking and pilaging homes in a village but skipping the houses that were unlocked because it was a sign of trust.

User Rank: Ninja
11/20/2014 | 5:32:25 PM
Re: EVERYONE must be part of the solution.
There is some truth to what you say @vnewman2.

"Thus, what is of supreme importance in war is to attack the enemy's strategy." - Sun-Tzu

Most cultures grasp the concept of physical security already.  Lock doors, stay away from dangerous parts of town, don't flash large amounts of money around, learn self-defense skills, don't talk to strangers unless you have an exit plan or are in a public place that you feel is safe.  Entire industries live off of the fact that there are dangerous people in our world.

But for some reason, especially on the civilian side of things, that danger has not been fully recognized or realized.  The damage caused by hackers and inside threats is not palpable to most computer users.  The breach reports look like a bunch of numbers... or just plain FUD.  No blood, few tears, no funeral processions, nothing seems to have been lost.

For the military, the systems they use to do what they need to do are all considered critical, albeit some more than others.  
If a system fails because it was not properly maintained and protected, lives could be put at risk on both sides of the front of a war or battle.  So from the day they begin basic training, military troops are taught how important it is to maintain security awareness in everything they do.  The practice becomes rote...  second nature...  just like locking the car door is for most civilians.  The practices are the same during peace-time as they are during war-time with the only exception is a hightened situational awareness when the bullets start to fly.

So... How do we get civilians to see the dangers in a similar light?
Sadly, even though I believe awareness programs are important, I do not believe they will be truly effective unless people know there are palpable repercussions for not paying attention to the information provided and acting on situations as directed.
My fear is something truly horrible will happen someday.  An event that affects everyone in a truly tragic way, that will become the catalyst for cultural change.  I do not want that to happen, but more and more it seems like a reality.
I can only hope that "harping" on the subject of information security with my peers, my coworkers, and my organization management...  every day...  eventually sinks in enough to make a difference.  I have seen a few good results.  But for every good practice, I see many more bad practices yet to be remedied or prevented.
User Rank: Strategist
11/20/2014 | 2:10:08 PM
Re: EVERYONE must be part of the solution.
@aws0513 "I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".

Exactly.  And what the end user fails to understand is that the hackers and cybercriminals of the world are always one step ahead, inventing new ways of breaching the security measures already in place.  

Maybe "training" on what to watch out for isn't enough.  Mabye we have to train people to think like a crook and to question everything more readily - much like a member of the military who is always observant of their surroundings, pays attention to details, and always on alert for anything that looks suspicious or outside the norm.
User Rank: Apprentice
11/20/2014 | 3:50:16 AM
Humans need help!
Security is never going to be top of everyone's priority list. Our research found 52% of workers did not realise that sharing work related logins was a risk. Users are human beings, they are flawed, they will always act outside the boundaries of policy (and sometimes common sense). An optimum stratergy to mitigate the risk from this unintentional insider threat is a joined up approach of better training and help from technology solutions. Technology solutions, such as UserLock, which outrightly restrict some of the bad user behavior (preventing password sharing, restrictions on network access etc), as well as helping educate and dissemeniate good behavior. This help from technology solutions helps employees get on board with security policy and reinforce the user security awareness training they recieve. 
User Rank: Apprentice
11/19/2014 | 11:49:20 AM
Re: Responsibility and Empowerment
That police analogy is apt. I was struck by the argument that focusing on security training is leading to victim-blaming, much like what happens when a crime occurs. Training is important, but we don't want IT saying "it's the users' responsibility not mine," either.

So really, *everyone* has to take part.
User Rank: Ninja
11/19/2014 | 10:26:35 AM
EVERYONE must be part of the solution.
During my 22 years of military service, I observed how IT became integral to operations for the military.
Information security practices had already been established in the military long before IT for the masses was even possible. The information security practices had to adjust, but the expectations continued to be consistent.

There are common acronyms in the military: OPSEC (Operations Security) and INFOSEC (Information Security). All units in the military are responsible for practicing OPSEC and INFOSEC as specified by various military regulations. These concepts were around when paper, typewriters, and POTS (plain old telephone systems) were the norm. These concepts still exist today, but have adapted to include the use of computers and networking technologies.

During unit compliance inspections, units are tested/evaluated for their OPSEC and INFOSEC programs. This applies to ALL units. Even though there is usually a specific team on a military installation responsible for the overall establishment of OPSEC and INFOSEC programs within the tenant units, the tenant units are measured for their compliance with that program.
I have seen situations where the oversight team for OPSEC and INFOSEC programs for a military installation did everything they could to get everyone on the right track regarding INFOSEC and OPSEC, but then see a tenant unit fail their INFOSEC or OPSEC inspections(sometimes in spectacular fashion). In classic military form, the final black mark for the evaluation hits the oversight team AND the tenant unit that failed the evaluation AND the installation commander responsible for both. In other words, even though it was the tenant unit that failed the evaluation, everyone in the chain of command is held accountable. Of course, when such things happen... well... stuff rolls down hill and collateral damage is wide sweeping.
The end result: A culture of security consciousness within the the entire installation that is consistent and considered normal. Anything "not normal" is considered not good and dealt with swiftly in an appropriate manner.
If only I could get civilian organizations to have the same culture.

Ongoing IT Security Awareness for all organization members is absolutely necessary.
EVERYONE in an organization, from the CEO to the employee sweeping the floors, is responsible for the security of the organization.
In some cases, even customers must understand the security concerns involved with doing business with an organization and accept that they must follow certain protocols in order to properly and safely receive services.

I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".
My common response: "If that were true for everyone, I would not be spending so much time on incident responses involving poor user practices."
User Rank: Moderator
11/19/2014 | 9:35:10 AM
Re: Responsibility and Empowerment
Good point, we can't expect IT to act as both the utilities companies and the police at the same time, there must be some responsibility on employees to be vigilent when it comes to maintaining a secure work environment.  The problem is it's just way too easy for them to transfer the responsibility to say "this is the responsibility of IT security, not mine" despite them being aware that the weakest links to security tend to be the front lines: email and web interactions. 
User Rank: Moderator
11/19/2014 | 7:05:00 AM
Responsibility and Empowerment
>> "Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them".

Apply the same argument to real life: People should be allowed to do whatever they need to achieve fulfilling lives, and it's law enforcement's job to create an environment to protect them.

These are ideals, and they are not wrong to express. But there is the reality of it all. The fact is, you play a role in maintaining your own safety in life. The cops themselves will tell you they can't do it all.

We all bear some responsibility for our own security safety.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...