Impressing Security Upon End-Users Visually? 157
Posted
by
Soulskill
from the shake-your-fist-and-glare dept.
from the shake-your-fist-and-glare dept.
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
Yell at them and make them feel like shit. (Score:0, Insightful)
Some users will "get it" with just a simple explanation. They're the easy ones to deal with. Give them an example, explain how it'll harm them, and they won't fuck up again.
Other users, however, should probably be treated like children, or in some cases, dogs. It doesn't matter how many times you tell or show them what not to do. They won't understand the harm it's causing.
Your only option is to yell at those idiots. Yell and yell and yell and yell. Make them feel like the shit that they are. They still won't understand why they shouldn't do the things you tell them not to do. They just won't do it to avoid your angry reaction.
So you are looking for a "Reefer Madness" movie... (Score:4, Insightful)
...about computer security? Those work so well.
Re:Yell at them and make them feel like shit. (Score:3, Insightful)
Then, if you work in a company, said stupid people will undermine you. They'll make sure mgt knows you're insulting and unprofessional. Anything breaks, they'll let their bosses know that you were the one who "fixed" it and that your fixes don't work.
Treat people like children and they will usually act like children.
Videos help? (Score:4, Insightful)
I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?
"NO WORK!!!"
I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.
If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.
Dark Ages (Score:2, Insightful)
Re:Yell at them and make them feel like shit. (Score:3, Insightful)
That will be a great story to tell all those people you meet at the unemployment office, there, tough guy.
Brett
What's in it for them? (Score:4, Insightful)
So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.
Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.
Re:Change their perspective to be self gratifying (Score:3, Insightful)
You know, sticking this down in some random response on a Slashdot discussion thread is not the most likely way to have Firefox devs see and possibly implement what you're looking for. Have you posted this over at mozilla.com?
Re:Explosions! (Score:3, Insightful)
If you want them to learn... (Score:3, Insightful)
Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.
Re:How do you explain a buffer overflow? (Score:3, Insightful)
Ultimately the one weak link in security that is always present is the user. So you have to either hamper the user, and progressively cripple his ability to use the computer or you have to educate him of who to trust and who not to.
Any power you give the user is a power he can ultimately be tricked into misusing.
Re:Explosions! (Score:3, Insightful)
Hmmm. I read the posted question/summary. Started scrolling down, reading comments. Stopped. Go back up and read just the title. Hmmm. Forget everything else, just concentrate on the title.
Could you make some kind of a monitoring app, which displays a graphic?
I don't mean to make a new antivirus. Just some graphic attached to existing antivirus and anti-malware softwares. It monitors the stupid things people do, and displays a ribbon or something across the top of the toolbar. Put a red end on the ribbon, and the red starts filling up the ribbon. When the user does something REALLY stupid, he gets popups, which grow more and more annoying.
For people with a clue, the ribbon just serves as a reminder. For people without a clue, those popups get more and more "In your FACE". Give the thing the ability to log those events and warnings, so the IT guy can bring it up, and show the idiot who refuses to be warned.
Just an idea - but I think it would be helpful to stick something like that on your most obtuse user's desktops.
Re:Yell at them and make them feel like shit. (Score:3, Insightful)
Anti-*** doesn't do crap except detect the old stuff that has been out forever. Sure it will reduce the number of malware items by 25-50% but that is hardly enough because even one item of malware can disable the anti-malware systems and let the rest in.
I agree with the idea that employees should not be docked pay.. as that is a bit harsh. Users DO need to be held accountable for their actions though. Just as an employee would be held accountable for a physical security breach (bringing that hobo to work) an employee should be held accountable for other types of security breaches, if they have had proper training. If a user is breaching business policy and ends up with an infected computer, then they should be reminded that the policy is there for a reason. How they are reminded depends on lots of factors such as the severity of the breach, past history of the user, degree of stupidity that it took to contract the virus, etc.
Educating employees on how to not get owned by viruses is far more important than setting up some anti-virus software and calling it good.
There is obviously lots of gray area in this topic but using only technical solutions to a problem that is not only technical is the wrong approach. You need to use managerial and technical solutions to properly manage the IT infrastructure.