Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

01:30 PM
Fahmida Y. Rashid
Fahmida Y. Rashid

Is Security Awareness Training Really Worth It?

Experts weigh in on the value of end-user security training, and how to make education more effective.

Download the entire new issue of InformationWeek Tech Digest, distributed in an all-digital format (free registration required).

Nothing riles up information security professionals quicker than the question of how much to invest in security awareness training. Does it work? Is it worth the money?

"There are three things you don't talk about in security: religion, politics, and security awareness training," says Jennifer Minella, VP of engineering with Carolina Advanced Digital and a member of the board for the International Information Systems Security Certifications Consortium, or (ISC)2.

Not that security training doesn't work. In the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling, the report found, as companies without security training for new hires reported average annual financial losses of $683,000, compared with companies with training that said average financial losses totaled $162,000.

Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organization's data. In (ISC)2's latest Global Information Security Workforce Study, adherence to security policy and training staff on security policy ranked No. 3 and No. 4 in effectively helping secure an organization's infrastructure.

But then there are high-profile security experts such as Bruce Schneier, CTO of Co3 Systems, who've argued that training is mostly a waste of time. Users aren't information security experts and shouldn't be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.

The dividing line?

For most enterprises, it's not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.

"It's weird that we are saying, 'Don't click,' to users," says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them, he says.

The counterpoint is that users aren't stupid and should share some responsibility in keeping their companies' secure, Minella says. All employees, regardless of role or position, are expected to represent the company's strategic goals and behave accordingly at work, at home, and on social media.

"Security is not siloed anymore, and everyone needs to work together on common business goals," she says.

Awareness, not responsibility?

The anti-training camp argues that the emphasis on security awareness training frequently means that users catch the blame when a data breach occurs. A number of recent major data breaches began with a spear-phishing email, and security departments sometimes blame the compromises on "so-and-so clicking on the email" rather than concede that the organization didn't have the right security defenses in place.

"There is a difference between awareness and relying on training users to avoid the threats," says Anup Ghosh, CEO of security software firm Invincea.

If a company wants to protect sensitive intellectual property from corporate espionage, it acquires and configures firewalls and other defenses. But if the company is concerned about spear phishing, the answer is inevitably, "'We will train the users,' which doesn't make any sense," Ghosh says. Spear phishing should not be treated as a problem with users, but rather as an attack on users requiring a technical response.

Read the rest of the story in the new issue of
InformationWeek Tech Digest (free registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Thunder Cat
Thunder Cat,
User Rank: Apprentice
2/7/2017 | 10:42:03 AM
There are a bunch of organizations that focus on employee awareness training. They vary from do it yourself to fully managed. If anyone is curious here are some of the most popular ones;
  • PeopleSec
  • Wombat     
  • Knowbe4   
  • PhishMe    

User Rank: Apprentice
11/29/2016 | 9:08:27 AM
Secuirty is a shared responsibility
I agree with everyone who has commented on the subject. Security against cyberattacks and other digital risks is a shared responsibility by all employees within the organization.

As businesses move their shops to the internet and start to do transactions online, security becomes a responsibility of everyone in the organization. In the case of our company, we had our employees undergo online digital awareness training under Career Academy to further improve their awareness of the risks of cyberattacks. The added knowledge increases our confidence in minimizing opportunities for external threats to infiltrate our online shop.

Kudos to the author.
User Rank: Strategist
11/20/2014 | 6:04:35 PM
Re: EVERYONE must be part of the solution.
@aws0513 - I love the quote!  I love the book.  So many truths you can apply to life in general.

My husband takes issue with locking doors (he grew up in rural Pennsylvania) because of an old folk tale his dad told him about "Indians" attacking and pilaging homes in a village but skipping the houses that were unlocked because it was a sign of trust.

User Rank: Ninja
11/20/2014 | 5:32:25 PM
Re: EVERYONE must be part of the solution.
There is some truth to what you say @vnewman2.

"Thus, what is of supreme importance in war is to attack the enemy's strategy." - Sun-Tzu

Most cultures grasp the concept of physical security already.  Lock doors, stay away from dangerous parts of town, don't flash large amounts of money around, learn self-defense skills, don't talk to strangers unless you have an exit plan or are in a public place that you feel is safe.  Entire industries live off of the fact that there are dangerous people in our world.

But for some reason, especially on the civilian side of things, that danger has not been fully recognized or realized.  The damage caused by hackers and inside threats is not palpable to most computer users.  The breach reports look like a bunch of numbers... or just plain FUD.  No blood, few tears, no funeral processions, nothing seems to have been lost.

For the military, the systems they use to do what they need to do are all considered critical, albeit some more than others.  
If a system fails because it was not properly maintained and protected, lives could be put at risk on both sides of the front of a war or battle.  So from the day they begin basic training, military troops are taught how important it is to maintain security awareness in everything they do.  The practice becomes rote...  second nature...  just like locking the car door is for most civilians.  The practices are the same during peace-time as they are during war-time with the only exception is a hightened situational awareness when the bullets start to fly.

So... How do we get civilians to see the dangers in a similar light?
Sadly, even though I believe awareness programs are important, I do not believe they will be truly effective unless people know there are palpable repercussions for not paying attention to the information provided and acting on situations as directed.
My fear is something truly horrible will happen someday.  An event that affects everyone in a truly tragic way, that will become the catalyst for cultural change.  I do not want that to happen, but more and more it seems like a reality.
I can only hope that "harping" on the subject of information security with my peers, my coworkers, and my organization management...  every day...  eventually sinks in enough to make a difference.  I have seen a few good results.  But for every good practice, I see many more bad practices yet to be remedied or prevented.
User Rank: Strategist
11/20/2014 | 2:10:08 PM
Re: EVERYONE must be part of the solution.
@aws0513 "I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".

Exactly.  And what the end user fails to understand is that the hackers and cybercriminals of the world are always one step ahead, inventing new ways of breaching the security measures already in place.  

Maybe "training" on what to watch out for isn't enough.  Mabye we have to train people to think like a crook and to question everything more readily - much like a member of the military who is always observant of their surroundings, pays attention to details, and always on alert for anything that looks suspicious or outside the norm.
User Rank: Apprentice
11/20/2014 | 3:50:16 AM
Humans need help!
Security is never going to be top of everyone's priority list. Our research found 52% of workers did not realise that sharing work related logins was a risk. Users are human beings, they are flawed, they will always act outside the boundaries of policy (and sometimes common sense). An optimum stratergy to mitigate the risk from this unintentional insider threat is a joined up approach of better training and help from technology solutions. Technology solutions, such as UserLock, which outrightly restrict some of the bad user behavior (preventing password sharing, restrictions on network access etc), as well as helping educate and dissemeniate good behavior. This help from technology solutions helps employees get on board with security policy and reinforce the user security awareness training they recieve. 
User Rank: Apprentice
11/19/2014 | 11:49:20 AM
Re: Responsibility and Empowerment
That police analogy is apt. I was struck by the argument that focusing on security training is leading to victim-blaming, much like what happens when a crime occurs. Training is important, but we don't want IT saying "it's the users' responsibility not mine," either.

So really, *everyone* has to take part.
User Rank: Ninja
11/19/2014 | 10:26:35 AM
EVERYONE must be part of the solution.
During my 22 years of military service, I observed how IT became integral to operations for the military.
Information security practices had already been established in the military long before IT for the masses was even possible. The information security practices had to adjust, but the expectations continued to be consistent.

There are common acronyms in the military: OPSEC (Operations Security) and INFOSEC (Information Security). All units in the military are responsible for practicing OPSEC and INFOSEC as specified by various military regulations. These concepts were around when paper, typewriters, and POTS (plain old telephone systems) were the norm. These concepts still exist today, but have adapted to include the use of computers and networking technologies.

During unit compliance inspections, units are tested/evaluated for their OPSEC and INFOSEC programs. This applies to ALL units. Even though there is usually a specific team on a military installation responsible for the overall establishment of OPSEC and INFOSEC programs within the tenant units, the tenant units are measured for their compliance with that program.
I have seen situations where the oversight team for OPSEC and INFOSEC programs for a military installation did everything they could to get everyone on the right track regarding INFOSEC and OPSEC, but then see a tenant unit fail their INFOSEC or OPSEC inspections(sometimes in spectacular fashion). In classic military form, the final black mark for the evaluation hits the oversight team AND the tenant unit that failed the evaluation AND the installation commander responsible for both. In other words, even though it was the tenant unit that failed the evaluation, everyone in the chain of command is held accountable. Of course, when such things happen... well... stuff rolls down hill and collateral damage is wide sweeping.
The end result: A culture of security consciousness within the the entire installation that is consistent and considered normal. Anything "not normal" is considered not good and dealt with swiftly in an appropriate manner.
If only I could get civilian organizations to have the same culture.

Ongoing IT Security Awareness for all organization members is absolutely necessary.
EVERYONE in an organization, from the CEO to the employee sweeping the floors, is responsible for the security of the organization.
In some cases, even customers must understand the security concerns involved with doing business with an organization and accept that they must follow certain protocols in order to properly and safely receive services.

I regularly hear from end users how they dread the annual security refresher training, stating that "they get it" and that "we know already... no need to harp on it".
My common response: "If that were true for everyone, I would not be spending so much time on incident responses involving poor user practices."
User Rank: Moderator
11/19/2014 | 9:35:10 AM
Re: Responsibility and Empowerment
Good point, we can't expect IT to act as both the utilities companies and the police at the same time, there must be some responsibility on employees to be vigilent when it comes to maintaining a secure work environment.  The problem is it's just way too easy for them to transfer the responsibility to say "this is the responsibility of IT security, not mine" despite them being aware that the weakest links to security tend to be the front lines: email and web interactions. 
User Rank: Moderator
11/19/2014 | 7:05:00 AM
Responsibility and Empowerment
>> "Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them".

Apply the same argument to real life: People should be allowed to do whatever they need to achieve fulfilling lives, and it's law enforcement's job to create an environment to protect them.

These are ideals, and they are not wrong to express. But there is the reality of it all. The fact is, you play a role in maintaining your own safety in life. The cops themselves will tell you they can't do it all.

We all bear some responsibility for our own security safety.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
IBM i2 iBase 8.9.13 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 184579.
PUBLISHED: 2020-10-30
IBM i2 iBase 8.9.13 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 184574.
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...