informa
/
Vulnerabilities/Threats
News

Security's Simple Messages

Want users to stop acting so dumb? Then it's time to act smart

4:25 PM -- The big addition at my house this holiday season was a pair of kittens, both 12 weeks old. They're cute little things, but because they're so young, they're not too smart. They chase their own tails, get stuck under the sofa, and run headlong into walls. We're glad they're here, but they occasionally act like they were born without brains.

Which brings us, inevitably, to the subject of end users.

Yeah, yeah, I know. We've all heard the stories about users who paint their screens with white-out and call the helpdesk to ask where the "any" key is. And security? A lot of 'em don't have the sense of that yellow "password" sticky they've stuck on their monitor.

But end users, like my kittens, aren't really dumb. They just haven't learned what they need to know yet. And that's where a good teacher comes in.

In our story, "Ten Ways to Get Users to Follow Security Policy," I asked IT managers and security experts to give us some thoughts on how to make end users behave with more security savvy. (See 10 Ways to Get Users to Follow Security Policy.) I expected to get some ideas on innovative programs and practices for training users and enforcing policy, but mostly what I got were bits of advice that sounded more like they came from young parents or kindergarten teachers.

"My estimate is that around 85 percent of users don't really know about or fully understand the policies or dangers," says one IT manager.

So what started out to be a story on next-generation practices for end-user security training and monitoring now reads a little bit like "How to Train Your Cat." The messages are simple: Write understandable policies, deliver them effectively, monitor them, and enforce them. Even the most experienced security experts agree there's no secret here -- it's a simple case of effective training, followed by a vigilant program of behavior modification.

Even though the messages are simple, however, it's surprising how many of them still are not strictly followed in many organizations. Many security teams do training, but fail to follow up when new threats emerge. Many companies still spend months defining a security policy, then fail to properly monitor or enforce it.

Like any form of teaching (including cat training), security policy enforcement is an ongoing process. If you make your instructions clear, and then watch their behavior, you can teach users -- most of them, anyway -- to follow security policy and make your company's data safer. The messages may not be complex, but they're crucial, and getting them across to end users might be the single most important element of vulnerability management.

I'd write more, but I've got to go. One of the cats is stuck under the sofa again.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5