Shostack + Friends Blog Archive


Training is not the answer

Florence Olsen writes in Federal Computer Week about security training:

Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec]

Against agency policy, they opened an e-mail attachment that purported to show a traffic snarl in Washington, D.C., after a North Carolina tobacco farmer drove his tractor into a shallow pond on the National Mall.

Without consistent and continuous user awareness training, Coe said, all of us are easy prey.

How about without software that allows us to do our job, all of us are easy prey? People opened email attachments? Fire them at once! How about providing them with tools that make it hard to make mistakes? I suspect that most white collar workers need to open email attachments through the course of the day. Probably a fair number of them. The software that IT professionals deploy needs to support that. Security personnel who try to change human nature — don’t think about a pink elephant — aren’t doing anyone any good.

This may mean building a business case for a more secure email client, or an email screening system at the server, or both. Its time and effort that will be ultimately more rewarding than trying to convince people not to open their email.

(Via InfoSecNews.)