Schneier: Security Awareness Training 'a Waste of Time'

An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

Re:Obligatory car analogy

[lgw]

To put all of the above simply: effective security is the ratio "how hard is it for an attacker to gain access" / "how hard is it for the authorized user to gain access".

Anything you do that makes it harder on the authorized user reduces security in practice, and is only good if it causes a disproportional difficulty for the attacker. Or, in physical security terms "any locked door between where your employees work and the smoking area will be propped open - design around that".