As usual, Ira has once again put things into a brutally honest perspective, hitting the truth square on! And once again - I completely agree. The sad thing is the world is not ready to implement something like "secure your home PC or get off the Internet". It's the good ole "compliance" issue.
I like the analogy with the car. Secure it or take it off the road. Just one thing; Why do we HAVE to use the seat belt if we only hurt ourself when not using it? Maybe the government has gone too far in regulating our behaviour?
One important thing about awareness; it's not only about home users. It also applies to business users, and if the business owner can't afford a lot of technical fancy security solutions, awareness is what you have left. Then you must trust the users to do the right thing but unfortunately they have to option of doing the wrong thing - and you can't do anything about it.
Are we talking about awareness training for the employees in our organizations, or EVERY Internet user on the planet? I'm primarily concerned about the employees in my company. If all employees are trained in CPR or the Hiemlich manuever it doesn't mean ALL of them would be able to save a life, but I'd still feel better knowing that if I were ever choking on food there was a good chance that someone could help me. Awareness training definitely makes sense. Saying it doesn't because it can't be applied to all users of the Internet doesn't.
No Ira, it's not an either/or position. The answer is BOTH. Inform people of the threat, inform them of things they can do to reduce or eliminate the threat, then hold them accountable for the consequences. Whether it is Joe citizen or Sue employee, you significantly reduce the surface area of the problem by letting people know what can go wrong and how to stay out of trouble. And for those who still aren't sure whether they ought to do the right thing, you impose some undesirable consequence to help them make the right decision. There will still be some victims and they (the real ones) need to be given some consideration, but you will have less of a problem both ways if you start with awareness.
Industry View| Ira Winkler on Awareness Training
Awareness training is great when people can hurt only themselves. But when people can hurt others, stronger measures are required.
» View Article
As usual, Ira has once again put things into a brutally honest perspective, hitting the truth square on! And once again - I completely agree. The sad thing is the world is not ready to implement something like "secure your home PC or get off the Internet". It's the good ole "compliance" issue.
Many good points there.
I like the analogy with the car. Secure it or take it off the road. Just one thing; Why do we HAVE to use the seat belt if we only hurt ourself when not using it? Maybe the government has gone too far in regulating our behaviour?
One important thing about awareness; it's not only about home users. It also applies to business users, and if the business owner can't afford a lot of technical fancy security solutions, awareness is what you have left. Then you must trust the users to do the right thing but unfortunately they have to option of doing the wrong thing - and you can't do anything about it.
Are we talking about awareness training for the employees in our organizations, or EVERY Internet user on the planet? I'm primarily concerned about the employees in my company. If all employees are trained in CPR or the Hiemlich manuever it doesn't mean ALL of them would be able to save a life, but I'd still feel better knowing that if I were ever choking on food there was a good chance that someone could help me. Awareness training definitely makes sense. Saying it doesn't because it can't be applied to all users of the Internet doesn't.
No Ira, it's not an either/or position. The answer is BOTH. Inform people of the threat, inform them of things they can do to reduce or eliminate the threat, then hold them accountable for the consequences. Whether it is Joe citizen or Sue employee, you significantly reduce the surface area of the problem by letting people know what can go wrong and how to stay out of trouble. And for those who still aren't sure whether they ought to do the right thing, you impose some undesirable consequence to help them make the right decision. There will still be some victims and they (the real ones) need to be given some consideration, but you will have less of a problem both ways if you start with awareness.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK