ABSTRACT
One popular attempt at security awareness metrics is to measure the success of awareness efforts by comparing user malware infections before and after awareness campaigns. Some security awareness training may be ineffective when weighed against the cost of providing the training. Many security awareness training programs are offered primarily to meet regulatory compliance requirements. Some security practitioners believe that awareness is unnecessary due to the deployment of effective and automated security tools. Some security tools enforce organizational policies and standards that the end user might otherwise choose to bypass for sake of convenience. Technical security controls have diminished some security threats once associated with end-user actions and inactions, such as failure to patch operating systems promptly or maintaining current antivirus definitions. Security vulnerabilities created by individuals looking to reduce barriers to convenience have likely existed as long as security profession itself. Inappropriate judgment about the level of risk may result in security issues when people exercise control of technical controls.
