The post "Don’t Need No Education">We Don’t Need No Education" from Securosis caught my eye. The discussion about User Education started after some articles from Rational Survivability: McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security" and Why Security Awareness Campaigns Matter. Additionally, the comments on the posts are interesting to follow.
From Securosis:In an enterprise environment, user security training is not:
Read the full post. Personally, I have always been an advocate of user education. Now finding the perfect formula, that's work in progress.
1. Telling users not to open emails from people they’ve never heard of
2. Telling users not to click on random links on web pages
3. Telling users to patch their own systems
Trying to make users change the way they interact with their tools is very challenging, and the very nature of viruses, phishing, and the like make it very challenging for users to correctly discern the difference between legitimate and hazardous emails and websites. So these are ideal problems for solving with technology. Awareness of the threats, however, is directly useful for users, as they are often the first people to notice issues and notify the helpdesk.
Good security training focuses on broader problems that don’t lend themselves to pure technology solutions. Training can be broken down into two major categories, General and Group-Specific. General security training is appropriate for all employees regardless of their job role. Group-Specific security training focuses on particular skills that are relevant to only a portion of the company.
Examples of General Security Training include:
1. Education on policies and procedures
2. Fire/Tornado Drills
3. What to do in an emergency, e.g., how to get 911 (or equivalent); how to contact on-site security
4. Locations of First Aid kits
5. Who to contact if you believe you have identified a security threat or risk
6. “If you see something, say something”
7. Not faxing/emailing organizational charts, phone lists, or other protected corporate information offsite
8. Rules for how to handle confidential information
9. Travel safety tip
UPDATE (18/03/2007): Five Mistakes IT Groups Make When Training End-Users (CIO.com)
Saturday
Do we need user education?
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment