Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Security Awareness Training 'a Waste of Time'

Posted by Soulskill on from the only-trust-users-to-be-users dept.

An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

1 of 284 comments (clear)

  1. Re:Obligatory car analogy by hairyfeet · · Score: 5, Interesting

    Sorry, been in PC retail for nearly 25 years and I can tell you training the grunts? NEVER works. Now training the IT staff? Sure send 'em to blackhat, pay for security classes, those ARE good investments that will see return, but Sally the secretary, that sees the PC as a magic black box that lets her do her work? Sorry but its gonna go in one ear and out the other.

    It would be like trying to teach me how to rebuild cars, i don't like cars, never cared about what model I drove, I just don't give a damn as long as it gets me from A to B and THAT is how many of your employees see the PC. They don't want to know about the thing, couldn't care less what its doing as long as they can get their work done and punch out, they have not the slightest interest in PCs which if you don't have any desire to really learn? Not gonna stick.

    So i have to agree that paying to train the regular staff is just a waste of time and energy. Much better to make sure you have well trained IT staff that can minimize the risk that your end users will have because frankly you are just wasting your breath when you try to teach somebody who doesn't care about PCs how to securely use one.

    --
    ACs don't waste your time replying, your posts are never seen by me.