Waiter? Can I get fries with my Firewall?

Having both waited tables and worked in InfoSec, I can appreciate this article on "What Information Security Can Learn from Waiting Tables"

Although I can't remember anyone ever tipping me for providing Security advice....

Mars Attacks Hacks

Came across a cool article today on NASA's firmware upgrade of Curiosity and the question of - could you hack the rover? The answer is probably yes, but it's not all that easy!

Security Awareness Training

Recently I've been involved in some security awareness training for business users, and in some discussions around the effectiveness of such training, including the question "should we even bother?".

Funnily enough, as I was contemplating this post, I came across PCI Guru's post on the why you should do awareness training which was a response to David Aitel's article on 'Why you shouldn't train employees for security awareness'.

I'm on PCI Guru's side of the fence on this one. Just because awareness training isn't 100% effective (or perhaps even close) is no reason to stop doing it completely. In my view awareness training is one of the ways to get a message across, to present the information contained in all those organizational security policies no one reads and most importantly - communicate to the end users what is expected of them. Will they always do what you ask? Probably not, but there will be those who do internalize the message and alter their behaviour as a result. I can recall genuine surprise on the faces of some employees when I explained that email is not 'private' - scoff  if you like, but to the non-IT or non-Security folks out there the fact it's not private may have never occurred to them - same as they don't expect their cell phone calls or SMS messages to be intercepted. The 'revelation' altered end user behaviour as they understood they may have been doing the 'wrong thing' because of their previous belief. Without security awareness training, how would the message have even reached them?
I also think that good security awareness training should also be aimed at the individual, explain how they can address risks to themselves and their family through altering their behaviour and then explain how this can carry on to their behaviours in the office.

I don't disagree that Dave's alternatives to training are also very beneficial to a company, and like so many other areas of security, are part of a defence-in-depth strategy, but one that should include awareness training:

One thing that isn't mentioned is the use of security awareness training to alter the end users opinion of the information security department. Too often the security team is seen as 'the cops' or a roadblock (and I think some of them like being seen that way) and part of that reason is the threats and risks we are trying to address are unknown to the general audience. Through awareness training we can give end users a glimpse of the world from our point of view and (hopefully) start to find some common ground when it comes to working together to addressing information risks.

I don't believe we can solve our security problems with technology alone, people need to be part of the solution (and more people than just us security propeller-heads). Security awareness training may be far from perfect, but for now, it beats not doing anything to educate your workforce.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme