Incident Response, TDR

Debate: Security training is effective in preventing workers from clicking on malicious links and attachments.

In this month's debate, two experts discuss whether security training is an effective strategy in the workplace.


Stu Sjouwerman, CEO, KnowBe4 

Money spent on security awareness training is not better spent on training developers to write secure code. Some argue that security awareness training is the whipping boy to illustrate how the computer industry has failed to design insecure systems. Perhaps those making that argument have forgotten that the internet really still is in beta. Vint Cerf recently admitted as such with his remark: “We never got to production code.”

In such an environment, you do want to educate your end-users and provide them with the knowledge and skills to spot social engineering red flags, and not click on suspicious links or to open infected attachments. Our training never fails to show a dramatic reduction in what we have called an organization's “phish-prone” percentage. The stats show the effectiveness: Up to 80 percent less clicks on simulated phishing attacks. These days security awareness training is a must.

That said, it's but an essential piece of the whole defense-in-depth puzzle organizations need to have in place. 


Dave Aitel, CEO, Immunity 

Security awareness training is one of the most overrated – and dangerous – aspects of security planning that any organization can use. The premise is a simple one: Employees are targeted in phishing schemes, so let's teach them how to not get owned. But the problem is that no matter how much training an organization provides employees, the worker is still going to screw up.

Employees weren't hired to handle your company's security – and they shouldn't be expected to. By placing an emphasis on employee training, you're giving yourself the false assurance that this is somehow making the company safer. It isn't. Even trained employees stand no chance against a modern attacker who customizes his phishing attack against that individual. Security awareness simply cannot address this threat.

It's the CISO's job to make sure that technical controls are in place to mitigate these threats. The reality is: An employee should be able to click on any link, open any attachment and go about their jobs as they see fit, and not expose the company to a serious breach.

Dave Aitel

Dave Aitel is a former NSA computer scientist, the Founder of Immunity, Inc, one of the top boutique penetration testing companies in the United

States, and currently a Partner at Cordyceps Systems, where he focuses on leading a team doing machine learning and data science.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.