The claim that security awareness trainings are not working is, in my opinion, a claim based on wrong assumptions. It also shows a clear lack of understanding of the inner workings of the human mind, and a total lack of respect for your co-workers.
If all you focus on is technology, code and cryptology, and you have very little real interaction with people, I can understand where you are coming from. It takes more than code to decrypt the subtleness of human interaction.
Last year, at the RSA Europe Conference in London, I was part of a panel discussing security awareness training. The panel consisted of two sides - for and against security awareness training. I happened to be speaking on behalf of security awareness training, and our team had an easy “victory”, simply because it is not possible to provide clear and consistent evidence that training is not working.
How, a few months later, a different panel at RSA Conference 2013 can reach the opposite conclusion, is lost on me.
There is plenty of evidence that suggest that training people works, and works well in most cases. Education and training is not perfect, and there are many cases where results are not as good as it was expected. But that is not the same as claiming security awareness training is a waste of time and resources. It may be an argument for adjusting your expectations instead.
My main point at the panel was that if you do it wrong, you should not expect great results. And thus, you should not be complaining. The challenge is that even if you do it right, it can be hard to document effect, and to show a clear causation between your training efforts and the behavior change. This is not unique to security awareness training, this is true of any training and development efforts in your organization and society.
We don’t stop training people just because it is hard to show how well it works. We start measuring by creating a baseline, defining a clear goal, and tracking our progress. If we are not moving in the right direction, we adjust the course.
I have learned that most infosec professionals excel at their technical skills, their risk management models and their policy making.
Some infosec pros claim that the only way to train your co-workers about security awareness is to hit them with a bat. When I hear them say something like that, I realize they have no clue about interpersonal skills, personality traits, motivational theory, or much else.
Except, I hope, security.
My next thought is that if these people are tasked with designing a security awareness training program, there's no chance they will do it right.
Most people I know don't enjoy being hit, and they will find other ways to solve their problems - like avoiding the controls in place.
Another problem I have with infosec people dismissing the whole idea of security awareness training programs is that they believe that if anyone should teach someone else about security, it has to be them!
"I am the security expert, after all, I should do the training," I often hear. I disagree.