Security awareness training is one of those topics that can cause a lot of debate depending on whom you ask. I am from the pro security awareness training camp because there are too many positive and proactive benefits to engaging and educating end-users about computer security. Investing time and money into implementing company-wide security-awareness training initiatives is one of the best ways to ensure that company employees will not make costly errors in regard to information security. Why? Because the greatest threat to information security may actually come from within the organization. It is not always disgruntled workers or corporate spies who are a threat. Often it is the non-malicious, uninformed employee that mistakenly clicks on the link in a spear-phishing email.
Good security awareness training involves educating employees about general computer security. Users need to know they have an important role in securing the organization's data. Employees should be taught that an organization’s data (e.g. intellectual property) is a valuable corporate asset that should be protected. Employees should also be knowledgeable about who to contact if they discover a potential security threat. Just as important, if an organization has a high turnover rate and/or rely heavily on temp workers or contractors, then regular security awareness training is a must.
On the flip side, those against security awareness training argue that the emphasis on training means that end-users are frequently the ones to blame when a data breach occurs because they did not follow what they were taught during training. Not to mention that it is sometimes easier for security departments to blame the end-users for security compromises “because they clicked an unknown link in the email from someone they didn’t know" rather than admit that the organization didn't have the right security defenses in place to prevent the breach. The simple fact is that it only takes someone to click on something bad to jeopardize security and integrity of an organization’s entire network no matter how much technology is in place.
While many security professionals generally recognize the importance of security awareness training as part of an overall information security plan, many feel that instead of spending time, money and resources on trying to teach employees to be secure, responsible computer users, organizations should focus on securing the overall networking environment. They feel that security issues should not be treated as a problem with end-users, but rather as an attack on end-users requiring a technical response. By focusing on hardening an organization’s network, this would allow end-users to be able to click on any link or open any attachment without running the risk of harming the organization.
All things said, the responsibility to safeguard information, whether professional or personal, falls upon the end-user. Security awareness training programs are meant to better prepare individuals to fulfill this responsibility. Furthermore, properly educating end-users about adopting behaviors that protect information benefits not only the organization, but also the individual as well. The more you know as they say.