Richard Bejtlich, CSO of Mandiant and a security professional I have admired for years, recently posted his thoughts on the value of security awareness. He and I agree on many points. The goal of awareness is to reduce risk, specifically human risk, and if done right it can be effective at it. Security awareness metrics such as phishing assessments have demonstrated you can reduce human risk to less than 5% (show me any other technical control that has such impact). I also agree with him that security awareness cannot reduce all risk. Just like any other control it will not prevent all attacks. However, I would add one thing to Richard's post, and for someone so passionate on detection I'm surprised he missed this one. One of the greatest values you can have from awareness training is not just prevention, but detection and response. Train people not to be just human firewalls, but human sensors. Let's take our phishing assessment examples again.
One of the things that always surprises me is not just how awareness training can dramatically decrease the number that fall victim, but also increases the number who can detect and report the attacks. For example, when an organization starts an awareness program a common metric is for every five people that fall victim, one person will identify and report it. Six months later its possible to reverse those numbers. Even better, just think how much risk we can reduce when even though that 5% still falls victim, they realize that something happened and report it. Part of any awareness program should include indicators of compromise (IOC) for people, teach them the basics of what to look for and report it. A common challenge I see with reporting is when you first kick off your awareness program you often get overwhelmed with feedback. However, with tuning and training people can become not only a powerful tool in preventing attacks, but identifying and reporting them.
