Impressing Security Upon End-Users Visually? 157
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
Change their perspective to be self gratifying (Score:5, Interesting)
I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.
I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.
All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.
Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.
Re:Dont you mean "oppresing"... (Score:4, Interesting)
Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P
You could try it but I doubt it will make your life easier. Most users don't understand and don't care and will expect you to fix their mistakes over and over again. Most of them have some kind of twisted pride in their ignorance.
There was research done on office staff by flashing up random warning messages on their screens, most users ignored the messages no matter what they said, clicked anything to get rid of the message, and immediately forgot there was even a message.
Security education video game and movie (Score:2, Interesting)
http://cisr.nps.edu/cyberciege/ [nps.edu] is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html [nps.edu] helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.
Re:So you are looking for a "Reefer Madness" movie (Score:2, Interesting)
Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".
Re:Yell at them and make them feel like shit. (Score:5, Interesting)
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time. People now ask me every time they have any doubts about what they're doing, and I've headed off a few potential catastrophes since that started happening.
I'm guessing it's not a coincidence.
Deny internet access to repeat offenders (Score:3, Interesting)
Deny internet access to repeat offenders. They soon get the message that way.
Re:Yell at them and make them feel like shit. (Score:3, Interesting)
I can second that. I tried the opposite and for some reason it worked, below is a link to my own "I clicked on an email link" type virus scenario.
(Apologies for the shameless blog punt...)
http://blog.g33q.co.za/2009/07/16/why-no-operating-system-is-safe-not-one/ [g33q.co.za]
Since then I have done the opposite of being the bofh.
One of the girls who work there was one of the main culprits in spreading the virus around by sending the mail to EVERYONE and copying files from every darn flashdrive she can get her hands on.
So I started joking with her regarding her having the most viruses on her computer, and since they are in an open plan office I did not need to work very hard to make that apparent. Also her Outlook broke, refused to run in anything but safe mode.
I refused to fix it. I just looked at it, fooled around with it a bit and loudly proclamed "Heck it must've broken because of that virus you had!"
Since that day there has been the odd virus mail (the greeting card type ones are very popular...) there have not been a major breakout of viruses. Usually they still begin with that girl - she just don't listen about security and so on - but as soon as anyone gets NOD complaining about a virus the attitude is to get in contact with me immediately, and to not forward each other funny mails.
Heck they even refuse funnies from this girl and her flashdrive is not allowed on anyones computer - not via management directive, but because the users themselves don't want her flashdrive.
I have caused her to be a bit of a computer leper, and for that reason there has been exactly two virus scares...
Re:Yell at them and make them feel like shit. (Score:5, Interesting)
Huh. Where I happen to live in soviet Canuckistan, both having your wages deducted for accidental damages caused on the job AND being forced to sign something under the threat of losing your job are both illegal.
Something vaguely similar happened at where I work. Weekend attendance had been optional for a very very long time, but management felt that too many people were just taking every weekend off because, well, people like their weekends. Anyways, to try and boost attendance they tried to make everyone sign an agreement basically saying that everyone had to work every single weekend unless excused, and excuses had to be given up to three weeks in advance... and this was all under a threat of "or else". A few of the sheeple signed right away for fear of losing their jobs. When it got round to me, I just laughed and threw the paper in the garbage. My boss tried to give me shit (this was infront of a dozen co-workers, so he had to make a stand) but I interrupted him to inform him that he could not unilaterally renegotiate my job description or fire me if I didn't agree to it, and if he ever tried to push me (or any of us) around like that again, that the provincial labour board would come down on the place like a ten thousand pound bag of shit for it and all the other little skeletons-in-the-closet that I knew about. The next day their little piece of paper disappeared without a trace.
YMMV.
Re:Explosions! (Score:3, Interesting)
> such as not clicking links in the occasional spam email which passes through filters, avoiding suspicious websites,
Just setup a daily CRON job to send an email with a link pointing to a page in your web server that shows:
YOU CLICKED THE BAD LINK. YOU'RE AN IDIOT. NEXT TIME WE'LL CUT YOUR SALARY.
For the email subject, just collect a handful of common spam phrases, like "Tired of seeing disappointed faces on women when they pull down your pants". Problem solved.
It's you who ignores basic rules of human behavior (Score:3, Interesting)
1. "If someone can do something wrong, someone will."
There's no way to circumvent this. Ever. Period. You have to accept, that humans make errors. But it's ok if they learn from it.
The problem is:
2. "To get people to learn from something, they have to have an interest in it."
So if it does not hurt them, and does not give them a advantage, then why should they learn anything? Humans are all about efficiency. In fact all competing life-forms ever, are. In all of the universe.
So what do you do? You follow basic rules of creating a motivating gradient. By offering advantages for those who learn, and disadvantages for those who don't.
Here, remember, that positive gradients (relative to the person's state) are always better, than negative ones (like punishment).
So I recommend this: At the next raise of salaries, raise them a bit less. But offer the remaining part as a bonus for those who can prove their security-awareness.
The amount is pretty easy to choose: It's the amount that you'd lose (e.g. the money to recover from loss or destruction), multiplied by the factor of likeliness (e.g. one in a million = 0.000001), divided by the number of people in the company (optional, depending on your p.o.v.).
You could check their security-awareness, by testing them every year on a random day. Like a fire drill. But with a security drill. (Without announcing anything. Without any alarm going off.)
And by filling out a question form at the end of the day (one that takes a negligible amount of time, and is also there, to refresh the knowledge. One more reason to make it a random day [= better learning])
You can bet your mother on the fact that they will be much better at caring for security! ^^
Only remember, to make all those drills, bonuses and tests proportional to the actual real amount of damage. Don't be surprised, if it then will be less than you thought.