Damn You, Beaker!
Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4:
Awareness initiatives are good for sexual harassment and copier training, not security.
Why? Because, damn that really sums it up. I wish that I had thought of this one myself. As I’ve said in the past, I think that awareness training is way under appreciated in security and Chris just had to go and be far more eloquent in one sentence than I was in several paragraphs. Hey Chris, mind if I steal this?
“I think that awareness training is way under appreciated in security”
Why?
*sound of crickets*
Education and awareness training does not work because of the prisoner’s dilemma. All have to follow, but only a few are trained. The free-rider problem then makes it impossible to close the feedback loop.
To the extent that security people push education and awareness training, we can say that they are avoiding the real problems, so it is covering up misunderstandings. Worse then than useless, it can be a danger to security.