[]

The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses. But Aitel uses a 2004 example as proof of his opinion, where after a four-hour training session - of which nobody is sure of the quality of that training - there was still a 90 percent success rate for phishing attacks.

That literally proves nothing.

Clearly awareness techniques have improved, but even so, the question posed should be: "Is what the cost savings was for the 10 percent reduction in successful attacks compared to the cost of the training program?" And this is just the tip of the weaknesses of his using this example.

The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?