Short post today, sorry. I just wanted to point out the recent post from the ISC about Security Awareness.
Promoting Security Awareness is an ongoing challenge in our field. Without a good understanding of Security Awareness and issues, getting appreciation at the senior management level for security issues is a real problem. Security Awareness is critical in influencing business decisions to include (and hopefully fund) security components into every project, protecting the corporate assets from both theft and lawsuits.
It’s a pretty quick, but thought provoking read. There is also a survey at the bottom that I encourage everyone to take. Some may think it’s interesting that I post this after talking about Marcus Ranum’s Dumb Security Ideas (especially for number 5), but I never said I agreed with everything he says.
Education is very important, be it one less user who posts their passwords on stickies on the monitor or one more guy who locks their cabinet drawers at night when they leave the office. Sure, the majority may think it’s stupid and ignore you or click through the admittedly dumb flash video, but one or two will get it and those one or two will lower your overall risk.
Should you put policies and operational configurations in place that prevent user stupidity? Yes. Given a choice, people will go with what hassles them the least and that’s rarely the method that we prefer. Of course, we’re highly unlikely to get that past management because it will hinder business development (or similar). So work with them (users and management) and find a middle ground. You’ll sleep better.
Or you could buy a pair of snips.