Should we bother with security awareness?

Bruce Schneier opines that, “training users in security is generally a waste of time.” Dave Kennedy disagrees, “Education and awareness can be effective if you take the complete opposite view of what Bruce views as an education and awareness program.”

I think that both have interesting points, and where Dave is disagreeing with Bruce, I agree with Dave. Bruce unfortunately skirts around what I think would be his strongest point - that the failures of security design and implementation have led us to require users to take actions that cause them to question our security wisdom - undercutting the awareness benefits we might expect.

Passwords are a good example. Because we still have painful authentication systems, we force users into increasingly complex schemes, rather than building better systems.

Better use of awareness resources is critical, indeed, which is part of Bruce rails about; but more importantly, “patching” design bugs with human workarounds is a sketchy idea.