FOR

Andy Willingham, information security officer for a financial services company

User awareness training is vital to any successful information security program. Many security events are the result of people doing something that they shouldn't have done. Clicking on a malicious link, for example, or sending confidential information via unsecured email can put organizations at risk. A simple mistake can invalidate much of the security defenses that a company has implemented. Most of the time, such incidents occur because people are simply not aware or don't understand that their actions can affect computer security. Let's face it: Policies and technology cannot stand up to a user who really wants to see that funny video, work from home or use technologies that make their job easier. Good awareness training can, however, overcome these issues. Such programs should help people understand why they need to act securely. Also, awareness training programs should be engaging so users ultimately retain this valuable information. Users who understand that their actions matter will think twice before taking a risky action.

Against

Amrit Williams, CSO, Quantivo

Security awareness training is simply not a worthwhile investment to protect corporate resources. Advanced and targeted attacks committed by dedicated interlopers or internal miscreants are far too sophisticated for the general public to defend against. It is popular to believe that we can build a knowledgeable, hypervigilant Jason Bourne-like cyber army, but that would require lots of knowledge, cooperation and adherence to rules.

Unfortunately, most of us – and I am looking directly at you, dear reader – have a Nietzschean Übermensch complex. We believe that rules and laws are good and should be adhered to by the general population, but that we are above them. We know better. We can run with scissors. We are the exception to the rule. In reality, we are not. Security awareness training is a worthwhile investment when one needs to inform their employee population of corporate policies, especially if violations of policy can lead to employment termination or criminal prosecution. For everything else, visibility and control are needed.