At Bloginfosec an article on security awareness cites some experimental studies on effectiveness of security awareness. In all the three studies awareness just didn’t work!
I remember Schneier once said in his blog, its not that people don’t care about information security its just that they don’t understand it.
After implementing user awareness training (internal web portal) here in my present job I also noticed that employees just don’t understand it. They go through the course, give the exam and when you ask them about incident or password guidelines (internal audit) they are just blank. I don’t think other form of awareness like posters, mass mailers also help much in improving awareness.
But I think if you can somehow show them (end-users) about the impact of say leaving you PC unattended w/o locking (sending e-mail), clicking on phishing e-mail and greet them how stupid they are, it might help but I am not sure.
This also reminds me of mjr and I fully agree with him on this: The Six Dumbest Ideas in Computer Security
Idea #5) Educating Users:
There have been numerous interesting studies that indicate that a significant percentage of users will trade their password for a candy bar, and the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If “Educating Users” is the strategy you plan to embark upon, you should expect to have to “patch” your users every week.
