Top 3 Misconceptions on Security Awareness Training

While working with executives and security professionals on awareness training, I tend to run across the same questions or misconceptions.  I wanted to share with you the top three I most commonly run into and explain why were others sees problems, I see solutions. 1. Awareness never worked in the past, why should it work now?  Awareness has a bad rap, one I believe it deserves.  The reason awareness in the past never changed behaviors is because organizations never intended their programs to change behaviors.  Traditionally most awareness training has focused on compliance, nothing more then annual training to check the box.  If you patched your computers once a year would you consider them secure?  Of course not.  Humans are no different.  If you want an awareness program to have an impact, you need a long term program designed to have an impact. 2. Someone always clicks.  I often hear that no matter how much you train people, someone will always click on a link.  Of course this is true, but how is that different then another other control?  Firewalls do not stop all attacks, anti-virus does not catch all malware, IDS sensors do not detect all attacks.  These are controls that reduce risk, not eliminate it.  Awareness is no different, by reducing the number of clicks you reduce risk.  For example, one organization I worked with freed up half of a FTE (Full Time Employee) with their awareness program just in the drop of the number of infected systems alone.   That drop can either save money for the organization or allow the FTE to focus on more advanced risks.  For those employees who simply refuse to change their behaviors, then more awareness training may not be the answer, HR may be (i.e. discipline them, move them to a less critical position or firing them). 3. Detection / Response.  When people think of awareness training they tend to think of phishing attacks, strong passwords, or locking computer screen.   Prevention is important,  but why not pump up the volume and also focus on detection and reporting? For example, teach people, including IT staff and help desk, the most common indicators of compromise.  Turn them into human sensors.   In one organization I recently worked with an employee received a social engineering attack over the phone.  Not only did the employee immediately figure out the phone call was an attack, not only did the employee immediately report it, the employee began pumping the attacker for information including asking them for their name and phone number.  Lets see your IDS do that.