But on this issue, I think he's selling human beings short. The problem is that for training to work, you have to get it right. That begins with not requiring corporate security training for your employees. WTF, you say?! You train them on security by not training them on security? Bear with. The trick to successful training is connecting people to information that they want. Your users don't want corporate security training because corporate security isn't their job.
I have found that one of the best ways to get users interested in computer security is to point out that, when they go home at 5pm, so do I, and they don't live with me. So they're on their own. And by offering classes on home computer security, I've had a good deal of success in getting people interested, presenting topics that are relevant, and helping them understand what they can do - both technically and behaviorally - to be safer when online. So here's the outline for my class:
- Why Hackers Want to Hack You
- Money
- Organized Crime Stats
- Threats You Face
- Viruses / Worms
- Trojans / Bots & Botnets
- Spyware / Adware
- Spam
- Phishing
- Self-Defense
- Software
- Antivirus
- Firewall
- Windows Auto-Update
- Anti-Spyware Tools
- IPS
- Manual Self-Defense
- Safe Browsing
- IM / Chat
- Passwords
- Personal Safety Online
- Protecting Your Personal Info
- Resources for Kids/Teens
- When to Contact Law Enforcement
- Q&A