Because I'm on the 'front lines' of handling user's problems (in SMBs of 1 to 180 workstations) I've seen what usually goes for 'user training' ... at this level of businesses.
What I have found is that most technicians already know why not to do [action] and so either simply state "don't do it", skim over the reason not to do it and/or give the reason in a highly technical nature, which does nothing but confuse the user who then goes merrily along continuing to do [action]. I've laid off techs that were shocked because the user didn't know about [action] - wrong viewpoint. What I have also found is that _if_ the user understands the reasons why not to do [action] they will stay away from it. Every single time we have shown why not to do [action] to the user, from the user's viewpoint and with an idea that the user really knows absolutely nothing about [action] (or else he/she would probably be a technician and not a user) we get another safe user. Sincerely, Daniel H. Renner President Los Angeles Computerhelp A division of Computerhelp, Inc. 818-352-8700 http://losangelescomputerhelp.com "Inactivity is death" - Benito Mussolini (Even evil dictators know the truth...) [email protected] wrote: > Date: Sat, 21 Mar 2009 09:42:32 -0400 > From: Rich Kulawiec <[email protected]> > Subject: Re: [funsec] BBC Crosses The Line Again > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > On Fri, Mar 20, 2009 at 11:28:15AM -0700, Paul M. Moriarty wrote: >> OK, I'll play devil's advocate. What's the right way to educate the >> public? Because security companies have done a piss-poor job to date. > > I strongly concur with the latter statement, but note in passing that > it's against the financial interests of most of them to do so...so we > should be very surprised if they did. > > However, to answer the question: "none". The public has proven > itself to be completely ineducable. As Marcus Ranum correctly pointed > out in "The Six Dumbest Ideas in Computer Security", where he identified > "user education" as one of them: > > If it was going to work, it would have worked by now. > > For example, we (for various values of "we") have been telling users > for a very, very long time that they should never respond to a request > for their password(s). Yet they do -- constantly. > > As another example, we have been telling users never to respond to spam. > But they do. In large numbers. Consistently. (This, at least, can > be mitigated by applying blacklist rules to outbound email traffic.) > > User education is a fine and noble endeavor. I've done a lot of it, > as I'm sure many other people here have. But collectively, we have > almost nothing to show for it. I think it's (past) time to get on > board with Ranum and stop wasting our time with an approach that's > failed. Oh, not that *other* approaches might turn out to be equally > fruitless -- they might -- but let's give them their chance to fail. > > ---Rsk > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
