Hi all,

I was recently onsite for around two weeks and notice a lot of things that were lets just say plain wrong. I was not doing a security asset of any type I was just there to help the It help desk. During my time onsite I saw password being sent via email, password around computer screens and user would get up and leave me with their computer without even asking who I was.

So I guess my question is other than training what other ways are there to teach end user about security ? How hard do you think the lesson should be ?

I guess one of the problems with the end user is they don't care as its the company being attacked not them so do you think is ethical to target the user?

I see these same things every day. It was worse when I worked for a local medical profession. Users getting up with patient data showing and computers not locked. I agree with Grendel the only way to fix or work on this is to have the support of upper management and have strict polices. You could try setting the screen timeout's and using group policy but that's still a long shot to getting users to comply.

What I'm about to say will undoubtedly sound pedantic, but please understand you hit a nerve of mine that stems from a continual need by many to be noticed (even if they dont say anything valid). But the examples you provided are perfect examples of noise, simply for the sake of noise. There are a lot of posts similar to what you pointed to that are more like blogs, and less like valid research in the field of InfoSec. As a researcher, you always have to look at the source material and evaluate its validity in a discussion of this matter.

Simply put, none of the articles you linked have any research value. Instead, check out legitimate research, like that done by Susan Handche, professor at George Mason University (as an example). In "The Privacy Papers" (published by Auerbach), she quotes "corporations and government agencies... Will have to dedicate more resources to staffing and training of information system security professionals," and that employees "are not aware of the security consequences caused by certain actions... Thus it is imperative for every organization to provide employees with IT-related security information that points out the threats and ramifications of not actively  participating in the protection of their information."

She also indicated that "informed and trained employees can be a crucial factor in the effective functioning and protection of information systems." She also docents her findings, which doesn't exist in your articles.

There is a ton of real research, performed by real researchers out there, with research statistics to back up their claim. I just get frustrated reading articles like what you pointed out without any real research being done... And then people (not necessarily you) quotes them as something close to gospel.

</rant>

I'm a believer in what Thomas Smith wrote regarding advertisement. Just replace the word "ad" with "security recommendation" and you'll see what it takes to make end-users want to participate in securing their organization:

"The first time people look at any given ad, they don't even see it.
The second time, they don't notice it.
The third time, they are aware that it is there.
The fourth time, they have a fleeting sense that they've seen it somewhere before.
The fifth time, they actually read the ad.
The sixth time they thumb their nose at it.
The seventh time, they start to get a little irritated with it.
The eighth time, they start to think, "Here's that confounded ad again."
The ninth time, they start to wonder if they're missing out on something.
The tenth time, they ask their friends and neighbors if they've tried it.
The eleventh time, they wonder how the company is paying for all these ads.
The twelfth time, they start to think that it must be a good product.
The thirteenth time, they start to feel the product has value.
The fourteenth time, they start to remember wanting a product exactly like this for a long time.
The fifteenth time, they start to yearn for it because they can't afford to buy it.
The sixteenth time, they accept the fact that they will buy it sometime in the future.
The seventeenth time, they make a note to buy the product.
The eighteenth time, they curse their poverty for not allowing them to buy this terrific product.
The nineteenth time, they count their money very carefully.
The twentieth time prospects see the ad, they buy what is offering."

Thanks a lot this has given me some ideas. I get sent onsite a lot and one company are extremely bad with security despite my warnings. So I was trying think other ways to get it into their head certain things they do should just not done.