Wednesday, January 31, 2007

Getting Security Training Right

In early 2005, Marcus Ranum wrote an editorial in which he decries, among other things, security training for end users. His position, summarized, is, "If it was going to work, it would have worked by now." And here's the thing - mjr is a REALLY smart guy, and I respect the hell out of him. If he had a blog, I'd read it. I let Information Security Magazine kill trees in my name for the sole purpose of reading his editorials.

But on this issue, I think he's selling human beings short. The problem is that for training to work, you have to get it right. That begins with not requiring corporate security training for your employees. WTF, you say?! You train them on security by not training them on security? Bear with. The trick to successful training is connecting people to information that they want. Your users don't want corporate security training because corporate security isn't their job.

I have found that one of the best ways to get users interested in computer security is to point out that, when they go home at 5pm, so do I, and they don't live with me. So they're on their own. And by offering classes on home computer security, I've had a good deal of success in getting people interested, presenting topics that are relevant, and helping them understand what they can do - both technically and behaviorally - to be safer when online. So here's the outline for my class:

  • Why Hackers Want to Hack You
    • Money
    • Organized Crime Stats
  • Threats You Face
    • Viruses / Worms
    • Trojans / Bots & Botnets
    • Spyware / Adware
    • Spam
    • Phishing
  • Self-Defense
    • Software
      • Antivirus
      • Firewall
      • Windows Auto-Update
      • Anti-Spyware Tools
      • IPS
    • Manual Self-Defense
      • E-Mail
      • Safe Browsing
      • IM / Chat
      • Passwords
  • Personal Safety Online
    • Protecting Your Personal Info
    • Resources for Kids/Teens
    • When to Contact Law Enforcement
  • Q&A
So do you notice anything about the topics covered? If you were going to put together a user-facing training class on security issues, how much crossover would there be between your class and mine? After 1 year of offering this class (and having to schedule an extra class due to demand), I am pleasantly surprised to report that it works. Some of the folks that have taken my class have come to me with information regarding security issues in our workplace. I like to think it's because they're starting to think like a security professional - irrationally paranoid, but for good reason.

No comments: