Hi everyone, Ed Amoroso here, and I want to talk to you about Security Awareness. Now let's start by just talking about awareness. And usually, we reference awareness in the context of a big campaign. What are the two big campaigns we've all seen to convince us to do something? Number 1 is don't smoke, and number 2 is wear a seatbelt, right? I don't care where you are, what country, where you live, you've been subjected to pretty good advice through awareness campaigns to not smoke and to wear seatbelts. So what's come of these two great campaigns? Still a lot of people smoke and a lot of people don't wear seatbelts. I think it's just maybe one of the basic aspects of human beings, it could be. But human beings, you'll never be able to get 100% of human beings to follow really good advice. So here's what this means for us as technologists. It's a really bad design decision if you assume that you can convince a large population of users to behave in a certain way. It just isn't going to happen. Now, it is a good idea to try. Because look, let's say you have a 100 users and you want them all to be careful that they don't click on something that appears suspicious. If you completely punt on the awareness and you say, I'll just let them do whatever, I don't know, I'm just making this up. Maybe half of them will click. You got half of your 100 users or 1,000 users, whatever you have, clicking on this stuff and you're inheriting that risk, if through an awareness campaign. So for example, awareness months or security awareness days. Or having booths or tables outside cafeterias, helping people be more aware and be more cognizant of the impact of making bad decisions about security. All of that is a good idea. Because let's say you can go from half of your users clicking or whatever you're trying to avoid to, I dont know, maybe a tenth of them. Well, if it's 40% of your users not clicking, it's still a great idea, so you should do it. It reduces the risk, it reduces the intensity of the burden of your cybersecurity components to stop the intended risk. People clicking on all these links, there might be malware making its way into your enterprise. So reduce that by all means. The concept of awareness is a really good idea. But you can't assume that awareness campaigns are going to be 100% successful. That's the computer science element here. The computing and design component here is that as you, the designer, building a cybersecurity system, it is colossal mistake to say, well, we can't have people do this thing. So let's just train them to not do it. That doesn't work. It's a foundational component. Occasionally in our videos here, we identify things that I think go deeper than just sort of a surface understanding. Now I want this to penetrate, let me say it again. When you're making a system, building a system, designing a system, and you need users to behave in a certain way to avoid a condition, well, you better not rely on training or using awareness as the basis for that. Because there will always be a percentage of those users who are not going to take your advice. It's just, like I said, it may be something about human beings. It is hard to say. I don't think we should be depressed about that. I think we should just accept it. And accept that that's something that computer system designers have to factor into the set of functional requirements that drive something they're building. So again, let's sort of recap here. Security Awareness Days, tables, programs, videos, all of the above. These are wonderful ideas. These are things we should be doing in business. And a lot of you who maybe start a career in cybersecurity might work in this areas. But we have to make sure that we understand the limitations. So that just like with smoking campaigns, seatbelt campaigns and the like, a certain percentage of our target audience is not going to take the advice. Is not going to do what we recommend that they do. And as a result, it'll have some impact on our system if we're overly reliant on the awareness as a primary control. I hope this has been useful for you and I hope you'll see us in the next video.
