Absolutely. I'm baffled how people could think it does not. Think about it. Go to a security conference and select several hundred attendees that have Windows laptops (I suggest CanSecWest, one of my favorite, technical conferences). Run a simple antivirus or scanning program on these computers and see how many are infected. Now, do the same at any other non-security conference (say a marketing or sales event) and see how many of those laptops are infected. You are most likely going to find far greater number of infected systems on non-security professional computers. Why? Because security professionals in general are more paranoid, more security aware, and more careful how they use their computers. When was the last time your personal laptop was hacked? Awareness works. The question is not if awareness works, but making it a cost effective solution.
To be honest, this is the issue most security measures face. They all reduce or mitigate risk to some measure. However, we all have limited resources so we have to decide what is most effective. The reason I'm such a big fan of awareness is so little has been invested in this area. We don't have to make people security experts, that should not be the goal. However, the goal should be just enough awareness where we make the biggest difference. Think about your security budget, what percentage goes to technical solutions? Most likely 90%+. This means you have this entire area of risks (human) where very little is done. Just some basic steps in that area can potentially make big improvements in security. The trick is getting the biggest bang for your buck. That is what we will be focusing on in the coming weeks.
