I don't want to start a debate here over who invented anti-virus. According to DarkReading it is Peter Tippett.(see the recent debate over who invented the firewall here. Is Dark Reading going to also knight the inventor of malware if they can track him down?)
In a speech last week Tippett made some great points. Here is my favorite:
For example, today's security industry focuses way too much time on vulnerability research, testing, and patching, Tippett suggested. "Only 3 percent of the vulnerabilities that are discovered are ever exploited," he said. "Yet there is huge amount of attention given to vulnerability disclosure, patch management, and so forth."
But Tippett has his own problems in understanding the state of IT security. He also states:
Security awareness programs also offer a high rate of return, Tippett said. "Employee training sometimes gets a bad rap because it doesn't alter the behavior of every employee who takes it," he said. "But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn't that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?"
That's a lot of "ifs" there Peter. I would rather spend $100K on an authentication program that does not require user defined passwords than $10,000 every year for ever trying to get my users to stop using "Pistons", "Patriots", or "Redwings" as their passwords.
Security awareness training for end users is a complete waste of time and money. Save your money for real security solutions that solve real deficiencies in your defenses.