> -----Original Message----- > From: Richard Zaluski [mailto:[EMAIL PROTECTED] > Sent: Monday, January 09, 2006 1:46 PM > To: 'Brady McClenon'; Derick Anderson; > [email protected]; [email protected] > Subject: RE: New article on SecurityFocus > > I agree with Brady, it's frustrating to hear the same thing > over and over as > an excuse. Even a little education goes a long way. Yes sure > you will always > have the few people who just don't get it but does that mean > you abandon the > whole concept? No, not in our books.
Let me make it clear that I'm not "abandoning" user education and I'm not denying the benefits of it. However in the context of security (a separate issue from job training) I don't believe the benefits are worth the cost. I used to believe that if users were trained properly then they wouldn't need anti-spam/virus/spyware/etc. because they'd know better than to do stupid things like click on links to pictures of naked tennis players. I used to put forth a lot of effort trying to educate users, thinking if they knew the truth that their habits would surely improve. But as I've said in my other post, a lot of users don't care or can't understand, and it just doesn't make economic sense (to me) to spend time and money when the practical and technical outcome (from a security perspective) is essentially the same. > We (iVOLUTION) are a training and services company and have > done corporate > training in Security Awareness. Even some of the basic > principles we teach > have an immediate impact on calls to the help desk. Every once in awhile I spam our users with a "how not to get owned by the internet" spiel, which reminds them of the basics of emails and attachments. I've got nothing against the basics here, but expecting education to compensate for good security practices and securely designed systems is going too far. If a company has excess funds and time for this sort of thing after hardening their workstations, servers and network, implementing additional layers of security, and auditing network usage policies, great. Otherwise, spend the money and time securing things that don't have minds of their own. =) > I think for the case of the 'Best Buy's' out there providing > training along > with a PC, it's a nice thought, but it's a cost to them > unless they can > market it and make money on it its not going to happen. The > margins on PC > sales are thin so any additional costs added on is a hard sell to > management. Companies such as that are into moving inventory. Agree. The last time I bought a car, the dealer didn't make me re-take a driver's test. > Thanks > > Richard Zaluski > CISO, Security and Infrastructure Services iVOLUTION > Technologies Incorporated > 905.309.1911 > 866.601.4678 > www.ivolution.ca > [EMAIL PROTECTED] > Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
