In my old SANS webcast titled “What’s NOT Working in Security in 2004″ I mentioned security awareness as one of the failures. This insightful blog entry from a controversial (due to the “death of an IDS” report of 2003) Richart Stiennon highlights the faults and inherent limitations of security awareness training.
Granted, it is very hard if not impossible to develop technical safeguards agains social problems (like employee abuse and ’social engineering’ attacks), but using security awareness training to plug the holes in technical security countermeasures is not going to work either. Here are some of the highlights: “Security awareness training is like the “Quidado!” sign a hotel or airport erects over a puddle in the middle of the hallway. A dangerous situation is addressed with a sign instead of the immediate application of a mop.”
And even harsher: “I say no. Education is not key to security. Good security technology is key to security.” He then continues to escalate to this: “If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed.”Thoughts?