http://emergentchaos.com/archives/2006/11/on-awareness.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2006/11/on-awareness.html/comment-page-1#comment-2886 Iang Fri, 24 Nov 2006 20:24:52 +0000 http://emergentchaos.com/?p=2071#comment-2886 Darn, another fashion I was too early for: <a href="https://financialcryptography.com/mt/archives/000279.html" rel="nofollow">User education: worse than useless</a>. Seriously though, the point being made dominates your point: If the tool is unusable then user education isn't going to fix it. Fix the tool, and then it may be worth thinking about education ... or, heck, it might be worth thinking why it is that ones policy still cries out for education. Policy issues such as sharing confidential information can be responsive to re-engineering. E.g., Lynn Wheeler's much lauded x9.59 payment system which re-engineered all the payment systems account numbers from "secret" to "non-secret" and thus dealt with the difficulty of securing those numbers. Darn, another fashion I was too early for: User education: worse than useless.
Seriously though, the point being made dominates your point: If the tool is unusable then user education isn’t going to fix it. Fix the tool, and then it may be worth thinking about education … or, heck, it might be worth thinking why it is that ones policy still cries out for education.
Policy issues such as sharing confidential information can be responsive to re-engineering. E.g., Lynn Wheeler’s much lauded x9.59 payment system which re-engineered all the payment systems account numbers from “secret” to “non-secret” and thus dealt with the difficulty of securing those numbers.

]]> http://emergentchaos.com/archives/2006/11/on-awareness.html/comment-page-1#comment-2885 Nik Wed, 22 Nov 2006 04:42:20 +0000 http://emergentchaos.com/?p=2071#comment-2885 Well said. I'm all in favour of limiting the capabilities given to users where possible; a lot of security breaches happen because Joe User is just trying to get his job done, so if you give him (for example) an insecure way to transfer files you can't moan too much when he uses it. But as you say, there are plenty of security problems that cannot be sensibly mediated by technology, so a good education program is essential. Indeed, user awareness is one of the best value security barriers you can provide, as it is far more flexible than most technical barriers. Well said. I’m all in favour of limiting the capabilities given to users where possible; a lot of security breaches happen because Joe User is just trying to get his job done, so if you give him (for example) an insecure way to transfer files you can’t moan too much when he uses it.
But as you say, there are plenty of security problems that cannot be sensibly mediated by technology, so a good education program is essential. Indeed, user awareness is one of the best value security barriers you can provide, as it is far more flexible than most technical barriers.

]]> http://emergentchaos.com/archives/2006/11/on-awareness.html/comment-page-1#comment-2884 Kenneth F. Belva Tue, 21 Nov 2006 17:48:11 +0000 http://emergentchaos.com/?p=2071#comment-2884 I think this issue is one that is still widely open (as opposed to something like vulnerability management which is more defined). The interesting question posed: “What is the line between what can and cannot be reasonably taught that would satisfactorily alter human computing behavior for the better???? See for a brief blog entry: <a href="http://www.bloginfosec.com/?p=97" rel="nofollow"><a href="http://www.bloginfosec.com/?p=97" rel="nofollow"><a href="http://www.bloginfosec.com/?p=97" rel="nofollow"><a href="http://www.bloginfosec.com/?p=97" rel="nofollow">http://www.bloginfosec.com/?p=97</a></a></a></a> Ken <a href="http://www.bloginfosec.com/" rel="nofollow"><a href="http://www.bloginfosec.com/" rel="nofollow"><a href="http://www.bloginfosec.com/" rel="nofollow">http://www.bloginfosec.com/</a></a></a> I think this issue is one that is still widely open (as opposed to something like vulnerability management which is more defined).
The interesting question posed: “What is the line between what can and cannot be reasonably taught that would satisfactorily alter human computing behavior for the better????
See for a brief blog entry:
http://www.bloginfosec.com/?p=97
Ken
http://www.bloginfosec.com/

]]> http://emergentchaos.com/archives/2006/11/on-awareness.html/comment-page-1#comment-2883 David Brodbeck Tue, 21 Nov 2006 17:44:10 +0000 http://emergentchaos.com/?p=2071#comment-2883 I think even if you use technology to enforce security policy, you need user education. If users don't understand WHY certain actions aren't allowed, they're going to try to circumvent the technology, and they can be fiendishly clever about it. It really helps to take the effort to explain to them why security is important and how they benefit from it, so you aren't just seen as someone who makes their job difficult. I think even if you use technology to enforce security policy, you need user education. If users don’t understand WHY certain actions aren’t allowed, they’re going to try to circumvent the technology, and they can be fiendishly clever about it. It really helps to take the effort to explain to them why security is important and how they benefit from it, so you aren’t just seen as someone who makes their job difficult.

]]>