This SecuriTeam post debates some of the pros/cons of corporate security awareness. Some firms rely solely on technology controls while others have a robust user awareness program. Somewhere in the middle is a good balance as both technology and the user play an important role in safeguarding the company’s information resources. I would personally vote “YES” having seen direct and measurable benefits from past security awareness campaigns
Corporate Security Awareness – It is worth the effort and cost?
QUOTE: Is security awareness “worth it”? Is security awareness “cost effective”? Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security. Three arguments in favour of at least trying security awareness spending:
1) When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.
2) Security awareness is mostly about risk management. Business management is mostly about risk management. Security awareness can give you advantages in more than just security.
3) Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.