[Enforcement or Awareness? Whats best?]
Since my posting about how seatbelt legislation improved the use of seatbelts was very popular, I like the idea of traffic rules being used as an analogy for Information Security. So it was quite exciting to see some Gartner thinkers copying me (obviously they read my blog religiously, debate it at length and then copy it. I am that good).
So, the first one was about traffic light cameras causing more accidents than stopping them. And how the government won't remove them because they make some good money from them. Enough said there. The other was about how traffic speed signs have been around for years but not very effective but speed cameras are very effective.
Reading between the lines, it seems to me that the article puts down the idea of awareness in total as being not effective. Which is fair enough. In Information Security you can preach for hours but unless you actually capture the hearts of those in the room then you are lost. They will not listen. One way to go is to use a combination of things including awareness and enforcment.
Taking Then you've won.