I’m amazed at how many people are offering advice on what information security topics I should be deploying. They seem to know what training is needed despite having never met me or my beautiful users and not knowing anything about my organisation or it’s goals. There are plenty of top ten lists of awareness topics. Numerous generic training packages are available on the internet. I’ve got nothing against generic awareness materials or topic lists as such. In fact some of it is very professional and far better than individual organisations could create. While it might be easy to use someone else’s training package or use their list of recommended training topics that doesn’t necessarily make it a good idea. I worry that we haven’t properly defined the problem that we’re trying to solve. If training material X is the solution, what was the problem?