Dangerous meme

According to Wikipedia a meme consists of some sort of a self-propagating unit of cultural evolution. I think of it as an idea that through repetition and use becomes common knowledge and is often used to the detriment of clear thinking. A meme is supposed to be the cultural equivalent of a gene.

Take security awareness training for example. Anytime a security wonk complains that security awareness training has to be beefed up to address some failing in end user behavior I believe there is a failure in technology.

Security awareness training is like the "Quidado!" sign a hotel or airport erects over a puddle in the middle of the hallway. A dangerous situation is addressed with a sign instead of the immediate application of a mop. In some way you get the feeling that the owners of the establishment have avoided liability by erecting a sign.

Here we have a CIO of a security solution provider harping on security awareness training. I say no. Education is not key to security. Good security technology is key to security. If there is a risk associated with people opening attachments give them an anti-virus product that makes them safer. If AV is not enough, patch their systems to avoid vulnerabilities. If that is not enough consider a different email infrastructure. If that is not enough consider a better computing platform.

If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure.

This meme must be eradicated from the gene pool.