Re: The home user problem returns

[Dave Piscitello <dave () corecom com>]

Tina, if I didn't know better, I'd conclude that security is driven by 
marketing and editorial calendars.

I have an entirely different take on pain versus reward than this thread 
has considered.
I actually offered it up for comment yesterday during a talk I gave at a 
NWW Security Tour.

If organizations offered tangible (monetary) rewards to incent users to 
comply with security policy, I suspect you'd see improvements. The model 
I proposed is similar to performance objectives - set goals, and reward 
employees with $ at the end of a performance period based on the results 
of a security audit. I call this the "reverse Cadbury chocolate" 
premise. Simply put, if people will sell their passwords for a $3 candy 
bar, will employees

1) protect their corporate identities
2) comply with USB access controls - all devices must be registered, and 
all information recorded on removeable devices is encrypted and signed
3) participate in security education (e.g., an online tutorial that 
explains phishing and ways to detect and avoid entrapment)

for $50-100 additional income every performance period?

Sorry, I can't share this with the list. Paul's somehow botched my 
subscription - I can received but can't post:-)

tbird () precision-guesswork com wrote:

> Quoting Elizabeth Zwicky <zwicky () greatcircle com>:
>
> > On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
> >
> > > i disagree. i don't know *anyone* who willingly makes a fundamental,
> > > significant change in their behavior without pain as a motivator.
> >
> >
> > On the one hand, I agree with Tina -- people change their OWN
> > behavior based on their OWN pain. On the other hand, this insight
> > leads people to some terrible attempts at training, because people
> > (dogs, cats, octopus, anything with a brain of reasonable size)
> > do not respond effectively to imposed pain. Positive training
> > methods always work better on long-term measures.
>
>
> correct, as we expect from elizabeth :-) most of the time when i'm 
> presenting
> the use of endpoint enforcement techniques to system administrators 
> (the folks
> who will be managing the systems) and their end users, i start by 
> describing it
> as a reward system for proper configuration, rather than a punishment 
> system
> against incorrect or compromised configurations. it's the same as the
> artificial ignorance approach to log management, or good ol' deny all 
> firewall
> rules. the list of "things that absolutely ought to be configured this 
> way" is
> shorter than the list of all possible things that should be prohibited.
>
> so of *course* most folks won't want to do that.
>
> unfortunately, i am consistently told by marketing folks and 
> journalists that
> rewarding the right behavior isn't sexy enough to be newsworthy. 
> apparently
> selling "a kick ass system for maintaining proper system config, and
> simplifying enterprise desktop management" doesn't work - but "scan 
> and block"
> or "worm preventers" or "quarantine solutions" will. i think it's 
> absurd, that
> stupid reactive approach to life. it was much easier to get the UNIX 
> sys admins
> to adopt security mechanisms by pointing out how much easier they make 
> system
> management, but apparently that's not always a good sell for the desk top
> folks. i don't get it.
>
> tbird
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature