Despite the fact that many security experts have been encouraging — even imploring — organizations to think differently about their end users and focus on building a culture of security from the top down, infosec professionals still yearn for a technical solution to employee-driven cybersecurity woes, phishing in particular. This is, frankly, totally understandable. As humans, we all long for “magic bullet” solutions to pressing and wide-ranging problems, and often hope that the path of least resistance will take us to our desired destination.
Certainly, end-user security awareness training is not a path of least resistance. But it is a path worth walking, on a number of levels. Here’s just one reason why:
You say: “Forget security awareness training. It doesn’t work, and I’d rather put my time and money into technology-based defense-in-depth strategies.”
Your end users hear: “I can do whatever I want because IT will fix it.”