But for executives, call center personnel, plant labor, shipping and receiving personnel, and non-IT staff you can find much better ways to invest your IT security budget than in security awareness training.
Protect them against executables in emails. Install anti-spyware and anti-phishing defenses. Make it impossible for someone to give out credentials over the phone by deploying token authentication devices. Use proximity IDs, biometrics and cameras for building access if you perceive a risk of unauthorized personnel wandering around your facilities. Dont rely on your people to stop suspicious characters.
In most cases you are better off investing in new controls and technology than throwing away resources on ineffective training programs. When confronted with an argument in favor of training ask yourself: How can I address this risk by changing my policies and engaging technology solutions? before you authorize spending on something that will do nothing to increase your overall defense posture or reduce your risk.
Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.