A post on the Slashdot site summarizes the controversy: "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers.
A bit of a storm of posts ensued, with all either arguing for or against. My take on this: "This is an artificially created problem, because it's not an either/or issue. It's "do both" until the systems are highly secure. The problem is that the attacker is human, and so is the target. Until we can afford artificial intelligence systems like IBM's Watson to correctly identify spear-phishing attacks, we'd better give end-users security awareness training as a critical security layer in our defense-in-depth model."