Bruce Schneier has come out saying that Security Awareness training isn’t worth the money, and I couldn’t disagree more. Specifically, Schneier has said:
I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.
Bruce’s statement and belief reflect the fallacy and overconfidence of the engineer. I saw this discussed once in a seminar on highway safety, where the highway engineers talked about how they once believed that they could eliminate traffic fatalities solely by engineering better highways and better cars. They soon learned that wasn’t enough — they they needed the four Es:
- Emergency Response
Engineering highways — or security — is only part of the picture. You still need to have policies and enforce them. You still need to teach users to be aware of threats and to know how to response. And you need emergency response to ensure your systems are not killed by the attacks — that they are resilient and can recover.
Awareness training is a vital part of this. Yes, you can engineer away some of the problems. But you can’t get rid of them all, and you certainly need to educate about social engineering attacks.
Bruce — I’m surprised at you for this statement.
(and now it is off to the shower before I go to work….)