Why employees shouldn’t be trained for security awareness
If there’s one myth in the information security field that just won’t die, it’s that an organisation’s security posture can be substantially improved by regularly training employees in how not to infect the company.
You can see the reasoning behind it, of course. RSA got hacked from a Word document with an embedded Flash vulnerability. A few days later the entire company’s SecureID franchise was at risk of being irrelevant once the attackers had gone off with the private keys that ruled the system.