In general, the anti-malware community splits dramatically into two camps when it comes to the evergreen debate about the effectiveness of user education and security awareness as a protective measure. One camp argues that “if education was of any use, it would have worked by now.” The other says that “education is key” and “you can’t fix social problems with technological solutions.”

Is the answer out there in No Man’s Land? We don’t believe that there is a 100% solution that will “fix” internet lawlessness, let alone human nature (if there is, it probably isn’t education). We do, however, believe, based on our own observations and experience with very large user populations, that properly targeted and implemented education and training, supplemented by other non-technological approaches such as sound policy enforcement, can play a vital part in a multi-layered defensive strategy. In this paper we will therefore consider:

• The arguments for and against devoting resources to education, training and security awareness
• Approaches to integrating social, less-technological approaches to security into a formal defensive framework
• User-friendly approaches to teaching computer hygiene to audiences with very mixed experience and technical knowledge.