"Dave Aitel recently published an article that generated a fair bit of controversy. In Why You Shouldn't Train Employees for Security Awareness, David claims that money spent on security training for employees would be better spent on securing networks and assets, concluding that "organizations will be much better off if the CSO/CISO focuses instead on preventing network threats and limiting their potential range. Employees can't be expected to keep the company safe; in fact it is just the opposite. Security training will lead to confusion more than anything else.
Aitel makes many valid points. These should not be discounted or ignored because he's arguing against a seemingly prevailing opinion regarding security awareness. One important argument Aitel raises is that users are overmatched, outgunned, and out numbered. This argument is hard to dispute, and no awareness program I know of can prepare users for the diverse and constantly changing threat landscape they face. Combine this with the "trajedy of the URL", where we often teach users to be secure at the expense of making use of the very convenience hyperlinks offer, and I'll admit that, in this context, it is hard to argue that awareness makes a difference.
Aitel explains that the efficacy of security awareness programs is not corroborated by "broad statistical evidence", and offers anecdotal data suggesting that on average, organizations with security programs still see "a click-through rate on client-side attacks of at least 5 to 10 percent."
Here is where my perspective on security awareness programs begins to differ from Dave Aitel's. His conclusions are not wrong, but Security awareness programs ought to do more than teach users how to avoid click-through and client-side attacks."