In the grand scheme of things security awareness is nothing more then another security control.  The only difference between awareness and other controls is awareness focuses on the human OS.  For some reason it is the human factor that confuses people, resulting in a variety of misconceptions.  Here I identify the five top myths why security awareness does not work and why I feel they are wrong.
  1. You Can't Patch Stupid:  I hear this saying often and to be honest I don't like it.  Most users are not stupid, it is just that most users are not trained on security.  Keep in mind many end users are highly educated people, such as lawyers, doctors, accountants and mechanics.  I'm sure these professionals can easily say the same thing about me in their profession.  Instead of insulting end users, I think we should start by treating them as capable people who want to learn.  There will always be that small percentage of people you just can't reach, but that does not mean we should start off by applying that mentality to everyone.
  2. You Can Always Fool Someone:  This is true, we will not be able to secure all the users.  If an attacker tries enough times, he will even trick the most highly trained individuals.  But risk is all about mitigation, not elimination.  Anti-virus does not catch all malware, SDLC does not catch all bugs, IDS sensors and logging do not detect all incidents and patching does not solve all vulnerabilities.  It is all about layers of mitigation.  Awareness is nothing but another control, the same approach applies.
  3. People Forget: I've heard professionals say security awareness does not work because after you train people they quickly forget.  Yes that is true, for an awareness program to be effective you have to constantly reinforce your training.  But once again this is no different then any other control.  When you first patch a computer it is highly secure, all known vulnerabilities are fixed.  But over time that same computer becomes more and more insecure.  Six months later it is riddled with wholes, to keep it secure you have to be constantly updating it.  The human OS is no different, just like any other operating system to keep it secure you have to constantly update it.
  4. You Cannot Quantitatively Measure It:  Can I give an organization a quantitative value of how much risk security awareness will reduce?  No, I cannot.  Can you give me a quantitiative value of how much risk a firewall or implementing an IDS will reduce?  Most likely not.  This is a problem we need to solve in information security in general, it is not a problem unique to awareness.
  5. You Can't Change Human Behavior.  Yes you can change human behavior.  The US National Highway Traffic Safety Administration did it with seat belts and hospitals have done it with hand washing.   What you can't do is send out a newsletter once a year and expect security awareness to work.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and