Jamie.R wrote:I guess the question I am asking is how can you make a end user care about security. It seems to me that most end user don't care unless something affects them directly.
Companies can spend as much money on training as they want but unless the end user puts into practice what he/she has learned IMO the training is pointless.
I'm a believer in what Thomas Smith wrote regarding advertisement. Just replace the word "ad" with "security recommendation" and you'll see what it takes to make end-users want to participate in securing their organization:
"The first time people look at any given ad, they don't even see it.
The second time, they don't notice it.
The third time, they are aware that it is there.
The fourth time, they have a fleeting sense that they've seen it somewhere before.
The fifth time, they actually read the ad.
The sixth time they thumb their nose at it.
The seventh time, they start to get a little irritated with it.
The eighth time, they start to think, "Here's that confounded ad again."
The ninth time, they start to wonder if they're missing out on something.
The tenth time, they ask their friends and neighbors if they've tried it.
The eleventh time, they wonder how the company is paying for all these ads.
The twelfth time, they start to think that it must be a good product.
The thirteenth time, they start to feel the product has value.
The fourteenth time, they start to remember wanting a product exactly like this for a long time.
The fifteenth time, they start to yearn for it because they can't afford to buy it.
The sixteenth time, they accept the fact that they will buy it sometime in the future.
The seventeenth time, they make a note to buy the product.
The eighteenth time, they curse their poverty for not allowing them to buy this terrific product.
The nineteenth time, they count their money very carefully.
The twentieth time prospects see the ad, they buy what is offering."