I think this is too simplified a view.
It's hard to quantify how many things don't happen, prevented by basic awareness training. But, a big problem could be the training itself. From this Dark Reading post:
"Security awareness has a bad reputation, and to be honest it deserves it," says Alan Paller, director of research at the SANS Institute. "Most programs have been poorly planned or executed. "and
"The problem is not the users. The problem is us," says Mike Murray, managing partner for consultancy MAD SecurityBut this post nails it for me:
A security awareness component is one of the most important pieces of any complete security program. The challenge, however, is to make it interesting. I can't count how many times I've sat through security training that amounts to nothing more than slide after boring slide of "you can't do this", "it's against policy to do that".There the crux of the problem. Who said that awareness training has to be boring?!?
We do our entire security industry a disservice when we force people to sit through monotonous sessions, live or online, flinging out-of-context information at them. And sometimes it's even worse... is your training, or trainer, condescending?
So, what to do? I like to try to make awareness as fun as possible. If it's enjoyable, it will stick. I frequently do presentations, at work and other places, on Family Internet Safety, Tech-Smart Parenting, Smartphone safety, and other "consumer" topics. We can then relate home security issues to security at work.
We have fun events like a booth at an internal IT fair, and celebrations for US National CyberSecurity Awareness Month (SCSAM).
I often field questions from users who receive an unusual email or are unsure whether or not a website or link is safe. Whenever I'm contacted on this kind of issue, I always thank the sender for bringing the issue to my attention. Whether the threat is real or imaged, we have both a great teaching moment and the opportunity to create a fan of, and voice for, security in the business units. These are important opportunities.
To sum up, this post offers a great top-10 list of tips for security awareness training. However, they left off one very important item... make it fun and engaging!
Do you have a security awareness program at work? Whether you are in charge of the program or a user, is it effective? is it fun? What are your favorite security awareness tips and tricks?