As Black Hat attendees were buzzing over a recent CSO guest column by Immunity Inc. CEO Dave Aitel in which he dismissed the value of security awareness training, security vendor PhishMe decided to conduct a survey. In it, attendees acknowledged that if recent phishing trends are any indication, Aitel was right.\tPhishMe interviewed 250 security professionals during the Black Hat USA conference in Las Vegas July 24-26, and more than two thirds said \u00a0they encounter phishing messages that get past anti-spam filters and reach users\u2019 email boxes at least a few times a week.\tAlso see: "Why you shouldn't train employees for security awareness," by Dave Aitel\tAlmost a quarter of the respondents said they see such messages in users\u2019 mailboxes multiple times every day.\t\u201cMany enterprises believe that because they are using spam filtering tools or other email security technologies, they are safe from phishing attacks,\u201d said Scott Greaux, VP of product management & services at PhishMe, which offers a service that simulates phishing attacks to help train users on how to react to them. \u201cWhat we found in our survey is that despite such filters, end users are presented with live, malicious attacks in their inboxes nearly every day.\u201d\tAlso see: "Phishing: The Basics"\tSpear phishing has become a popular method of infecting enterprises with malware,according to PhishMe. In the survey, more than one quarter (27 percent) of security professionals said that top executives or other privileged users in their enterprises have been compromised by spear phishing attacks within the last 12 months. Another 31 percent of security pros said they weren\u2019t sure whether their executives or privileged users had been hit with such attacks.\tMore from the report:\t\t\tWith so many unfiltered phishing messages getting through, it is up to the end user to decide how to react -- whether to open the message, click on a link, or delete the message before it can do any damage. But PhishMe\u2019s survey of Black Hat attendees indicates that most end users receive only a bare minimum of security awareness training. Nearly half (49 percent) of the respondents said their users receive training only once a year; nearly one tenth (9 percent) said their organizations have no security training programs at all.\t\t\tAmong organizations that do provide security training programs, many rely heavily on scripted, delayed forms of instruction that do not provide metrics to program managers and administrators, the survey said. In fact, three of the top four training methods listed by Black Hat attendees -- recorded video\/computer-based training (39.3 percent), paper tests\/quizzes (32.9 percent), and handbooks\/printed guides(28.5 percent) -- are largely unsuccessful. Only 16 percent of security professionals train their users via simulated attacks (multiple responses were allowed).\tMy quick takeaway: The message isn't that security training is a waste of time. It's that the current methods are sometimes inadequate.\tAlso see: "Security awareness can be the most cost-effective security measure"\tOf course, even with the best training money can buy, it's still an uphill battle dealing with human nature. When you're up to your eyeballs in work you start looking for shortcuts. In the process, you forget your training.\tDiscuss amongst yourselves.