0

I was going to ask about how to educate users, but now that I think about it, I first want to know if it's actually possible to do effectively at all.

Are there any amazing success (or horrible failure) stories floating around about user education, and different approaches thereto? Any statistics on whether companies that attempt to educate their user base about computer secure are, in fact, less likely to suffer a major compromise?

My own experience is that people are often unwilling to alter their usage habits - especially more knowledgeable end users, who assume they know enough to avoid compromise. But my experience here is pretty limited, and based mostly on home/desktop use rather than office/workstation. I'm interested in hearing how this stuff plays out on a larger scale.

DanL4096
  • 307
  • 1
  • 2
  • 9
  • I've been a skeptic for years, but there was a study published in the last five years that did show a small positive impact. I can't find the citation, which is why this is a comment. Much depends on what _kind_ of education, and when it is delivered. – MCW Jul 18 '14 at 18:23
  • Related but not identical: http://security.stackexchange.com/questions/104436/is-online-security-training-effective – Scott C Wilson Nov 09 '15 at 19:41

2 Answers2

1

I don't have any documented examples or statistics, but I can say that while difficult and expensive, it is certainly possible to educate users. It's easy enough to have security awareness training and whatnot, but the real problem lies in enforcing the policies and auditing their effectiveness. The most successful compromise controls are technical because it doesn't give people a choice. Not letting someone log in until they change their password is much more effective than having someone sign a sheet of paper saying they'll change their password every 90 days. Many other vulnerabilities stem from things you can't control through technical means. Such as phishing.

In order for education of users to be truly successful the results have to be observed and policies need to be enforced, regular reviews need to take place and there needs to be repercussions for not following policy/training. Just because it's hard or expensive doesn't mean it shouldn't be done at all though. Doing nothing in the way of educating your users will almost certainly be worse than at least making sure employees are aware of the risks involved with their various behaviors.

JekwA
  • 773
  • 7
  • 13
1

I cannot answer for others but in my own personal experience as an admin I have seen mixed results. When I created a security policy for a company a few years ago, which included basic password rules--

I ran into a few very angry people who wanted their password to be 'password' or 'password1' or their last name and sent me emails for a couple of weeks or more refusing to change it. Our company deals with many locations in and around the continental United States and that was not acceptable of course.

I had to then tell them I would set it to a very bad list of alphanumerics... which I sent them... and which got them to give me a better one.

I did not bother asking about anything else, I just had to do what I could to encrypt and otherwise secure information on our servers in the background, which was of course a good policy anyway. There is an automation available but more than that is tough to handle for people who don't know or care for the importance.

Jeff Clayton
  • 932
  • 7
  • 16