John Breeden II, a long-time skeptic of the mandatory workplace cybersecurity training he has received, now believes his criticism has been misplaced. Incidents showing the ineffectiveness of such training don’t indicate that users are “stupid” and untrainable, he argues; the real problem is the nature of the training, which typically lacks the kind of interactivity and individual adaptation that would make it effective.
Furthermore, user training remains a necessary part of a layered protection system. “Even the best mail security programs and appliances I’ve ever tested were only about 99% accurate, and those were the cream of the crop. … If only 1% of those threats are running the gauntlet, that’s 180,000 bad emails getting delivered each day.” For example, he notes the irony that users at highly protected organizations come to let their guard down, becoming more likely to fall for any rare well-crafted phishing attempt that they encounter.