Impressing Security Upon End-Users Visually? 157
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
Explosions! (Score:4, Funny)
Make a video where the user clicks "Run File" in Internet Explorer and then the building explodes.
Security holes (Score:1)
Your users will not dare to violate your security rules after that, and probably not ever again for the rest of their lives.
Re:Security holes (Score:5, Funny)
http://www.youtube.com/watch?v=1SNxaJlicEU
Re: (Score:2)
or... (Score:2)
No sensible person or company puts those things in an email any more, anyway. If you need to go do something with your account at your bank, the email just says, "Please go to your account and check your status." Anything further is probably spam, mal-something, or straight-up clueless.
Re: (Score:2)
Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole
Didn't Microsoft already try UAC and fail miserably...
Re: (Score:2)
I think you define "average person" very widely...
Re: (Score:2)
I think you define "average person" very widely...
Doesn't something that's average, by its nature, have to be defined widely...?
Re: (Score:2)
I think you define "average person" very widely...
Doesn't something that's average, by its nature, have to be defined widely...?
If the "average person" eats at McD, then yes.
Re: (Score:3, Funny)
Re: (Score:2, Funny)
There's a freeware program that, when run, starts flashing teh screen, and plays at MAX volume "HEY EVERONE, I'm looking at GAY porno!" ... just send that around, and people will quickly learn not to open programs.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Hmmm. I read the posted question/summary. Started scrolling down, reading comments. Stopped. Go back up and read just the title. Hmmm. Forget everything else, just concentrate on the title.
Could you make some kind of a monitoring app, which displays a graphic?
I don't mean to make a new antivirus. Just some graphic attached to existing antivirus and anti-malware softwares. It monitors the stupid things people do, and displays a ribbon or something across the top of the toolbar. Put a red end on the
Re: (Score:2)
No, I don't mean predicting what they are doing. We already know what things they do that are hazardous. Clicking on email attachments, for instance. The app watches for someone to click an attachment, and gives him one of those annoying popups. "Hey stupid! Your IT man has warned you a million times not to open email attachments! Are you SURE that this email is from a TRUSTED SOURCE?!?!"
Installing apps is another good example. Home users don't have an IT guy, so this app which monitors what they are d
Re: (Score:3, Interesting)
> such as not clicking links in the occasional spam email which passes through filters, avoiding suspicious websites,
Just setup a daily CRON job to send an email with a link pointing to a page in your web server that shows:
YOU CLICKED THE BAD LINK. YOU'RE AN IDIOT. NEXT TIME WE'LL CUT YOUR SALARY.
For the email subject, just collect a handful of common spam phrases, like "Tired of seeing disappointed faces on women when they pull down your pants". Problem solved.
Dont you mean "oppresing"... (Score:1)
Re:Dont you mean "oppresing"... (Score:4, Interesting)
Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P
You could try it but I doubt it will make your life easier. Most users don't understand and don't care and will expect you to fix their mistakes over and over again. Most of them have some kind of twisted pride in their ignorance.
There was research done on office staff by flashing up random warning messages on their screens, most users ignored the messages no matter what they said, clicked anything to get rid of the message, and immediately forgot there was even a message.
Re: (Score:1)
Re:Dont you mean "oppresing"... (Score:4, Informative)
I did find this:
http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars [arstechnica.com]
I'm not sure if it's the study I was thinking of though.
Study confirms [Re:Dont you mean "oppresing" (sic) (Score:1, Informative)
Unfortunately, there should be another article titled "study confirms that computer system administrators are also mostly idiots"... but, of course, that wouldn't win any awards on a site like arstechnica, which caters to the computer geek set, which likes to pretend that they are not idiots.
Nor on a site like slashdot, for that matter. (Moderation: troll, here it comes.... guess I'd better click that "post anonymously" box, or else I'm gonna burn
Re: (Score:1)
i certainly couldn't cope in finance or psycology, but I'm not put into situations where I am expected to have a full working knowledge of the minutae of those fields and then left to my own devices to function - 'idiot be dammed'
That's basically what lawnboy was apparently suggesting - and that's a theory alot of sysadmins would reject in practice (i would love it if everyone could
Re: (Score:1)
(note - this is the actual study publication - not the Ars news story about said publication)
http://media.haymarketmedia.com/Documents/1/SharekWogalterFakeWarning_publicationFinal_805.pdf [haymarketmedia.com]
Re: (Score:2)
Because when their computer is completely hosed and borderline unusable as a direct result, the chances are the OP or someone in a similar role will have to pick up the pieces. This gets really old really fast.
Myself, I think there may be something to be said for the endpoint security products that combine centrally managed antivirus, firewall and antispyware features.
Re: (Score:2)
I, for one, get paid to avoid them and my employers from wasting valuable time, money, and bandwidth both from such errors.
Re: (Score:1)
Re: (Score:2)
Work is called that for a reason. Hopefully you are fortunate enough to enjoy the work that you do, making it seem less like work, but work it is and shall be and sucks to the whiners.
This is one of those "facts" that was drilled into your brain as a child, then as a teenager, and as an adult. You just blindly accepted it without question as "the way things are", and now these are the "facts" you tell everyone you meet. Most people will grudgingly accept it as true, unsure as to why deep down inside they f
Re: (Score:2)
Joe User: Passwords do vex me - lets kill them now!
IS Dept: But that will mean anyone could copy our data.
Joe User: So? I could get my job done.
IS Dept: Even our most hated competitors would know everything/
Joe User: So? I could get my job done.
IS Dept: ???
Re: (Score:2)
My post was in reply to "lets let the users decide how much security they want" my point was that the users would probably opt for "none". A properly designed security policy will protect the assets and let Joe do his job.
naaaahhh.. crazy talk. (Score:2)
the legacy dos files...
the run and run-once lines in the registry (all of them)
runservices
load
userinit
the startup menu
the startup menu for the user
lots of the code doesnt work unless it gets full rein to jack your system. Turn on the windows based security an
So you are looking for a "Reefer Madness" movie... (Score:4, Insightful)
...about computer security? Those work so well.
Re: (Score:2)
Re:So you are looking for a "Reefer Madness" movie (Score:2, Interesting)
Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".
Re: (Score:2)
How about "Napster Baaaaad"?
Change their perspective to be self gratifying (Score:5, Interesting)
I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.
I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.
All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.
Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.
Re: (Score:3, Insightful)
You know, sticking this down in some random response on a Slashdot discussion thread is not the most likely way to have Firefox devs see and pos
Re: (Score:2)
I'm sure many people who work in professional IT have been griping about this to Mozilla for years. It would be such a handy feature, after all.
Re: (Score:3, Informative)
https://bugzilla.mozilla.org/show_bug.cgi?id=267888 [mozilla.org]
I guess patches are welcome...
Re: (Score:2)
"Have you posted this over at mozilla.com?"
The near certainty that a geek will kill time at work browsing /. probably makes posting here a better choice.
Bug 267888 (Score:2)
Have you posted this over at mozilla.com?
Bug 267888 [mozilla.org].
Change their perspective so they quail in terror (Score:2)
Send out a fake spam email. Anyone who clicks on the link gets a security warning letter and a "You are subject to termination for clicking on the link in an email. Contact HR immediately"
www.IdentityTheft.info video (Score:4, Informative)
Backdoor.Ghostnet (Score:3, Informative)
I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you
Re: (Score:2)
No, the message is screw VNC and SMB. I want to use that userfriendly tool!
This just gave me an idea. (Score:2)
You know what would be really cool? If you had a rewriting-proxy that would occasionally insert a cartoon spy in pages that could be unsafe, reminding/warning them about what could have happened. For example if they submitted a form with a password, and it wasn't encrypted, the spy could pop up and say "This password is unprotected, and could be snooped. Be sure not to use the same password for anything important!", and then have buttons the users could click to submit the form anyway or cancel. If they arr
Really? (Score:2)
A reminder/warning that user should click on to make it go away?
How much time do you suppose would pass before:
a) users completely ignore it, madly clicking [ OK ] without even looking at the text?
b) it is spoofed and/or copied by malware sites, cartoon spy and all?
Answer should be calculated in minutes and seconds, but feel free to use larger time units like hours and days.
Phishing article on SciAm (Score:4, Informative)
http://www.scientificamerican.com/article.cfm?id=how-to-foil-phishing-scams [scientificamerican.com]
This is a good start and I'd recommend investigating the author's other published material.
Re: (Score:2)
Hillarious: The original poster asks for advice and you post a "pay to read" link.
I have nothing against a journalist trying to make a living but you were asked for your advice not someone else's (are you the author - can't be arsed to check.)
This is a discussion about phishing, do you see what I am getting at?
Re: (Score:2)
I see there's some irony there. It's not phishing. The guy is looking resources, I point him towards an article with a solid bibliography. If he doesn't want to pay, that's his (or anyone else's) business. He can go to the library and look it up if he wants it for free, just like any other book or mag. Just b/c it's not free and on the internet doesn't mean it's not useful.
I do agree that I should have pointed out that this is a for-fee site.
Cisco's Website (Score:2)
People are stupid (Score:1)
Security education video game and movie (Score:2, Interesting)
http://cisr.nps.edu/cyberciege/ [nps.edu] is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html [nps.edu] helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.
Videos help? (Score:4, Insightful)
I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?
"NO WORK!!!"
I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.
If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.
Dark Ages (Score:2, Insightful)
What's in it for them? (Score:4, Insightful)
So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.
Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.
Re: (Score:2)
Excellent point about bringing personal pain.
When I found some malware (Securitytool, basically holds the computer hostage) on one of the computers I called everyone around it and told them that because someone installed something they weren't supposed to, everyone who used that computer for online banking or any other important activities needed to change their passwords if they wanted to keep their bank accounts full. To this day I don't know who kept messing up that computer but it hasn't happened since.
If you want them to learn... (Score:3, Insightful)
Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.
Re: (Score:2)
And two months later when you're back at the unemployment office you can chuckle to yourself about the fun you had.
That's a possibility, of course. But you'd be doing your job in the best possible way. In my experience, there is always an element of risk in excellence. Anyway, you can minimize your risks. You can always make a seminar first, give everybody a ten-commandment-sheet, etc. explaining what they cannot do, and then send the traps as tests, after some weeks. If they fail, you can say that anybody
Set policy (Score:2)
Here's the solution (Score:2)
Make yourself a laptop with a deep freeze image. this way you can infect the system at will, reboot and it's clean.
Show the people using your system just how badly a zero-day exploit can hose a system.
Reboot, show the next group. Rinse, repeat.
Re: (Score:2)
You use it on a connection not connected to the business network, like a tethered phone modem, or a wireless 3G service, etc.
Never ever demo an exploit while connected to the business network - what insane fool would do that?
Wait, don't answer that. :)
Virtualforge has really good XSS and CSRF vids (Score:2)
http://www.virtualforge.de/vmovie.php [virtualforge.de]
the XSS and CSRF videos are very good visualizations for the common user using simple examples.
Deny internet access to repeat offenders (Score:3, Interesting)
Deny internet access to repeat offenders. They soon get the message that way.
Excellent Question; Really Bad Timing (Score:2)
Excellent question but, unfortunately, it hit the main /. page on a Saturday. Let's just say that the percentage of readers who are IT professionals drops off significantly over the weekend. Go figure.
Most of your responses so far are along the lines of, "You NAZI! Leave your users alone and let the one's who don't learn get what they deserve." Obviously, not the response of an IT type who has to deal with regulatory requirements and wants to keep his job. You might try the same question again but on a
I Have a Vision of... (Score:3, Funny)
Hi, I'm Troy McClure. You may remember me from such IT security videos as "Microsoft Explorer: Ubiquitous but Unsecure" or "Passwords: The Road to Ruin".
Demostrate (Score:2)
A demostration of the "Customer Appreciation Bat" works wonders.
Although since it's a corporate institution, the "Security Empowerment Bat" might be more effective.
Re: (Score:2)
Trouble is, at most places the "Security Empowerment Bat" is made out of marshmellow.
Impress what happens when they AREN'T secure (Score:2)
Look for vids of the WMF bug (Score:3, Informative)
Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.
Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)
http://www.youtube.com/watch?v=WTBcDJ9kJH4 [youtube.com]
IMO, I think this answers your question!
Re: (Score:2)
That video wasn't too exciting, but one of the related videos seems to fit the bill for the OP's request: http://www.youtube.com/watch?v=3atmWmWCwlw [youtube.com]
Re: (Score:2)
That vid is a bit overblown, the vid I posted is pretty much exactly what happens when you click on the wrong thing and get owned.
If you are talking about corp users (Score:2)
why not block access to anything non-approved?
More accurately, only allow specific site.
Yes some people will get around it, but most people capable enough to get around aren't high risk. How many people who know how to tunnel would also download smileys?
PUMP them UP (Score:2)
Maybe create some internal XSS that resides on your corporate proxy server. So when someone runs (say) a Facebook app, your XSS runs some Javascript off of an internal server that does something moderately annoying like continual pop-ups. Then if they click on one of the popups, disable their external web access completely.
unsafe ... or just inppropriate? (Score:2)
Okay, I'll bite. Do facebook and myspace fall in the unsafe category, or are they just inappropriate? Obviously you don't want employees spending all their time at their desks screwing around with facebook, because you want them to be doing useful work. But if there's some actual security vulnerability that is opened up when a user simply goes to a web page with a certa
Fedex a package (Score:2)
A normal brown-box Fedex-like package. When they open it, a balloon bursts and glitter goes everywhere.
Maybe they'll learn not to open random packages when it means maybe cleaning glitter for six days.
Making people care is about incentives (Score:2)
If people were held personally liable for damages caused by security breaches that they enabled, they would get smarter about security.
I'm not arguing that they should be held liable, just that it's going to be hard to make them care when they aren't.
Be the bad guy (Score:2)
Send some "test" links yourself. When you manage to break into the user's machine, e-mail the user his own confidential document, password, etc. Then tell him _how_ he exposed himself and that you _could_ have been the bad guy.
I learned how to use chmod properly this way a LONG time ago -- the teaching method was highly effective... :)
(You will, of course, get the careless users ticked off -- so make sure you have management approval for this. But seeing _proof_ of what _will_ happen will get the message
It's you who ignores basic rules of human behavior (Score:3, Interesting)
1. "If someone can do something wrong, someone will."
There's no way to circumvent this. Ever. Period. You have to accept, that humans make errors. But it's ok if they learn from it.
The problem is:
2. "To get people to learn from something, they have to have an interest in it."
So if it does not hurt them, and does not give them a advantage, then why should they learn anything? Humans are all about efficiency. In fact all competing life-forms ever, are. In all of the universe.
So what do you do? You follow basic rules of creating a motivating gradient. By offering advantages for those who learn, and disadvantages for those who don't.
Here, remember, that positive gradients (relative to the person's state) are always better, than negative ones (like punishment).
So I recommend this: At the next raise of salaries, raise them a bit less. But offer the remaining part as a bonus for those who can prove their security-awareness.
The amount is pretty easy to choose: It's the amount that you'd lose (e.g. the money to recover from loss or destruction), multiplied by the factor of likeliness (e.g. one in a million = 0.000001), divided by the number of people in the company (optional, depending on your p.o.v.).
You could check their security-awareness, by testing them every year on a random day. Like a fire drill. But with a security drill. (Without announcing anything. Without any alarm going off.)
And by filling out a question form at the end of the day (one that takes a negligible amount of time, and is also there, to refresh the knowledge. One more reason to make it a random day [= better learning])
You can bet your mother on the fact that they will be much better at caring for security! ^^
Only remember, to make all those drills, bonuses and tests proportional to the actual real amount of damage. Don't be surprised, if it then will be less than you thought.
http://securitycartoon.com/ (Score:2)
A while back a slashdot comment had a link to security cartoon [securitycartoon.com]. The cartoons are cute and pretty thorough, though the may be a bit simple and are somewhat outdated. It's visual and pretty straightforward.
This is actually a big problem (Score:2)
Usually, when something "bad" happens, you get to see the result. You lose your wallet, you can't pay next time you have to. Someone breaks into your house, everything's turned upside down. With malware, there just ain't anything to see.
To make things worse, people have been told by Hollywood that there is something to see. Computer screens "melting" or outright explosions (those dreaded 220kV lines in those flatscreens ... you know...), or at least some nifty CGI (honestly, every time someone searches fing
Re: (Score:2)
Unfortunately, this and worse is pretty much true. There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.
Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.
Re: (Score:2)
There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.
Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.
I have much the same experiences. I find that firewalling everything and forcing users to use a web proxy and mail gateway works pretty well. There is no reason for having office staff able to directly contact the Internet on any port.
Re: (Score:2)
I think you under-estimate how easy it is to train dogs.
Re: (Score:2)
Only after you give them tons of doggy treats which, as far as I can tell, there are no substitutes for in training humans. We are SOL.
Re: (Score:2)
I think the human treat you may be looking for is a flat rectangular green object that is easily folded and often found in banks. :P
At least, in my experiences it seems to motivate people pretty well.
Re: (Score:2)
Bacon's cheaper and works just as well for most gentiles.
Re: (Score:3, Insightful)
Then, if you work in a company, said stupid people will undermine you. They'll make sure mgt knows you're insulting and unprofessional. Anything breaks, they'll let their bosses know that you were the one who "fixed" it and that your fixes don't work.
Treat people like children and they will usually act like children.
Re: (Score:3, Interesting)
I can second that. I tried the opposite and for some reason it worked, below is a link to my own "I clicked on an email link" type virus scenario.
(Apologies for the shameless blog punt...)
http://blog.g33q.co.za/2009/07/16/why-no-operating-system-is-safe-not-one/ [g33q.co.za]
Since then I have done the opposite of being the bofh.
One of the girls who work there was one of the main culprits in spreading the virus around by sending the mail to EVERYONE and copying files from every darn flashdrive she can get her hands on.
So
Re: (Score:3, Insightful)
That will be a great story to tell all those people you meet at the unemployment office, there, tough guy.
Brett
Re: (Score:2)
What you want is an airbag behind the screen. When a virus is detected the airbag explodes out. The glass in the screen lacerates the user's face and indelible red ink on the airbag stains their skin for weeks to come.
Alternatively you could have a little water cannon under the desk that sprays their crotch so everyone thinks they wet themselves.
Only that kind of humiliation can ever hope to teach these lusers. -BOFH
Re: (Score:2)
That works, until the user is a bigger jerk than you are. I worked for a fairly senior enlisted man who was pretty bad about computer security. He related to me a story about how some system he needed to use generated a password for him, but it was totally random and he couldn't remember it.
There was no option, whatsoever, to generate any kind of "friendly" password or to make it memorable. So his solution was to call the help desk and to insist upon getting a password he could remember. The female tech sta
Re: (Score:2)
Our company runs company computers through a proxy, visitors and private laptops can connect directly.
Re:Yell at them and make them feel like shit. (Score:5, Interesting)
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time. People now ask me every time they have any doubts about what they're doing, and I've headed off a few potential catastrophes since that started happening.
I'm guessing it's not a coincidence.
Re:Yell at them and make them feel like shit. (Score:5, Interesting)
Huh. Where I happen to live in soviet Canuckistan, both having your wages deducted for accidental damages caused on the job AND being forced to sign something under the threat of losing your job are both illegal.
Something vaguely similar happened at where I work. Weekend attendance had been optional for a very very long time, but management felt that too many people were just taking every weekend off because, well, people like their weekends. Anyways, to try and boost attendance they tried to make everyone sign an agreement basically saying that everyone had to work every single weekend unless excused, and excuses had to be given up to three weeks in advance... and this was all under a threat of "or else". A few of the sheeple signed right away for fear of losing their jobs. When it got round to me, I just laughed and threw the paper in the garbage. My boss tried to give me shit (this was infront of a dozen co-workers, so he had to make a stand) but I interrupted him to inform him that he could not unilaterally renegotiate my job description or fire me if I didn't agree to it, and if he ever tried to push me (or any of us) around like that again, that the provincial labour board would come down on the place like a ten thousand pound bag of shit for it and all the other little skeletons-in-the-closet that I knew about. The next day their little piece of paper disappeared without a trace.
YMMV.
Re: (Score:3)
But I assume that a small bonus to an employee every month their machine /isn't/ compromised is perfectly legal, even in a country with sane labor laws? Or perhaps a free lunch?
Of course, this does cost some money, but you'd be surprised how even a small amount of money or food can motivate people to make tiny changes to their routine.
Re: (Score:2)
"Accidental" is one thing "deliberate" is another.
I've got two 'tarded users who get their systems hosed with malware several times a year. It doesn't matter how many times I explain that they should NEVER click on a link that says they have to update their video player to view shocking security camera footage of themselves or a video of a monkey throwing poo at zoo visitors. Last time, I dumbed it down to, "Stop clicking on stupid shit!" Maybe that will work. Meanwhile, I'm going to work on getting a l
The real answer is ... (Score:2)
The director stood up
You found the holy grail of successful IT endeavors, (including educating end users) - executive buy-in and support. I know at least a dozen companies in which the executives pay lip service to lots of things, such as IT security, but don't actually actively support them. As a result, nothing really gets done in those areas.
Show me a company that hires good IT folks, makes them feel valued, and supports them, and you will find a company with a rock solid IT infrastructure.
Ah, so your management is a bunch of dicks (Score:2)
You did manage to save them a bunch of money, though. Now that your users aren't fucking up their machines any more, there's little reason to keep paying you to do nothing. Cost of your services, and all that.
Re: (Score:2)
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time
That they've told you about.
Re: (Score:3, Insightful)
Anti-*** doesn't do crap except detect the old stuff that has been out forever. Sure it will reduce the number of malware items by 25-50% but that is hardly enough because even one item of malware can disable the anti-malware systems and let the rest in.
I agree with the idea that employees should not be docked pay.. as that is a bit harsh. Users DO need to be held accountable for their actions though. Just as an employee would be held accountable for a physical security breach (bringing that hobo to work
Re: (Score:3, Insightful)
Ultimately the one weak link in security that is always present is the user. So you have to either hamper the user, and progressively cripple his ability to use the computer or you have to educate him of who to trust and who not to.
Any power you give the user is a power he can ultimately be tricked into misusing.