Firewall Wizards mailing list archives
Re: The home user problem returns
From: Dave Piscitello <dave () corecom com>
Date: Wed, 28 Sep 2005 13:05:02 -0400
Tina, if I didn't know better, I'd conclude that security is driven by marketing and editorial calendars.
I have an entirely different take on pain versus reward than this thread has considered. I actually offered it up for comment yesterday during a talk I gave at a NWW Security Tour.
If organizations offered tangible (monetary) rewards to incent users to comply with security policy, I suspect you'd see improvements. The model I proposed is similar to performance objectives - set goals, and reward employees with $ at the end of a performance period based on the results of a security audit. I call this the "reverse Cadbury chocolate" premise. Simply put, if people will sell their passwords for a $3 candy bar, will employees
1) protect their corporate identities2) comply with USB access controls - all devices must be registered, and all information recorded on removeable devices is encrypted and signed 3) participate in security education (e.g., an online tutorial that explains phishing and ways to detect and avoid entrapment)
for $50-100 additional income every performance period?Sorry, I can't share this with the list. Paul's somehow botched my subscription - I can received but can't post:-)
tbird () precision-guesswork com wrote:
Quoting Elizabeth Zwicky <zwicky () greatcircle com>:On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:i disagree. i don't know *anyone* who willingly makes a fundamental, significant change in their behavior without pain as a motivator.On the one hand, I agree with Tina -- people change their OWN behavior based on their OWN pain. On the other hand, this insight leads people to some terrible attempts at training, because people (dogs, cats, octopus, anything with a brain of reasonable size) do not respond effectively to imposed pain. Positive training methods always work better on long-term measures.correct, as we expect from elizabeth :-) most of the time when i'm presenting the use of endpoint enforcement techniques to system administrators (the folks who will be managing the systems) and their end users, i start by describing it as a reward system for proper configuration, rather than a punishment systemagainst incorrect or compromised configurations. it's the same as theartificial ignorance approach to log management, or good ol' deny all firewall rules. the list of "things that absolutely ought to be configured this way" isshorter than the list of all possible things that should be prohibited. so of *course* most folks won't want to do that.unfortunately, i am consistently told by marketing folks and journalists that rewarding the right behavior isn't sexy enough to be newsworthy. apparentlyselling "a kick ass system for maintaining proper system config, andsimplifying enterprise desktop management" doesn't work - but "scan and block" or "worm preventers" or "quarantine solutions" will. i think it's absurd, that stupid reactive approach to life. it was much easier to get the UNIX sys admins to adopt security mechanisms by pointing out how much easier they make systemmanagement, but apparently that's not always a good sell for the desk top folks. i don't get it. tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: The home user problem returns Mason Schmitt (Oct 05)
- <Possible follow-ups>
- Re: The home user problem returns Devdas Bhagat (Oct 05)
- RE: The home user problem returns Brian Loe (Oct 05)
- Re: The home user problem returns Dave Piscitello (Oct 05)
- Re: The home user problem returns Marcus J. Ranum (Oct 05)
- Re: The home user problem returns Paul D. Robertson (Oct 05)
- Re: The home user problem returns Marcus J. Ranum (Oct 05)
- RE: The home user problem returns Stewart, John (Oct 05)