Re: [fw-wiz] The home user problem returns

From: Dave Piscitello (dave_at_corecom.com)
Date: 09/28/05

  • Next message: dave kleiman: "[fw-wiz] Firewall Log Management Security" 
    To: tbird@precision-guesswork.com
Date: Wed, 28 Sep 2005 13:05:02 -0400

    Tina, if I didn't know better, I'd conclude that security is driven by
    marketing and editorial calendars.

    I have an entirely different take on pain versus reward than this thread
    has considered.
    I actually offered it up for comment yesterday during a talk I gave at a
    NWW Security Tour.

    If organizations offered tangible (monetary) rewards to incent users to
    comply with security policy, I suspect you'd see improvements. The model
    I proposed is similar to performance objectives - set goals, and reward
    employees with $ at the end of a performance period based on the results
    of a security audit. I call this the "reverse Cadbury chocolate"
    premise. Simply put, if people will sell their passwords for a $3 candy
    bar, will employees

    1) protect their corporate identities
    2) comply with USB access controls - all devices must be registered, and
    all information recorded on removeable devices is encrypted and signed
    3) participate in security education (e.g., an online tutorial that
    explains phishing and ways to detect and avoid entrapment)

    for $50-100 additional income every performance period?

    Sorry, I can't share this with the list. Paul's somehow botched my
    subscription - I can received but can't post:-)

    tbird@precision-guesswork.com wrote:

    > Quoting Elizabeth Zwicky <zwicky@greatcircle.com>:
    >
    >>
    >> On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
    >>
    >>> i disagree. i don't know *anyone* who willingly makes a fundamental,
    >>> significant change in their behavior without pain as a motivator.
    >>
    >>
    >> On the one hand, I agree with Tina -- people change their OWN
    >> behavior based on their OWN pain. On the other hand, this insight
    >> leads people to some terrible attempts at training, because people
    >> (dogs, cats, octopus, anything with a brain of reasonable size)
    >> do not respond effectively to imposed pain. Positive training
    >> methods always work better on long-term measures.
    >
    >
    > correct, as we expect from elizabeth :-) most of the time when i'm
    > presenting
    > the use of endpoint enforcement techniques to system administrators
    > (the folks
    > who will be managing the systems) and their end users, i start by
    > describing it
    > as a reward system for proper configuration, rather than a punishment
    > system
    > against incorrect or compromised configurations. it's the same as the
    > artificial ignorance approach to log management, or good ol' deny all
    > firewall
    > rules. the list of "things that absolutely ought to be configured this
    > way" is
    > shorter than the list of all possible things that should be prohibited.
    >
    > so of *course* most folks won't want to do that.
    >
    > unfortunately, i am consistently told by marketing folks and
    > journalists that
    > rewarding the right behavior isn't sexy enough to be newsworthy.
    > apparently
    > selling "a kick ass system for maintaining proper system config, and
    > simplifying enterprise desktop management" doesn't work - but "scan
    > and block"
    > or "worm preventers" or "quarantine solutions" will. i think it's
    > absurd, that
    > stupid reactive approach to life. it was much easier to get the UNIX
    > sys admins
    > to adopt security mechanisms by pointing out how much easier they make
    > system
    > management, but apparently that's not always a good sell for the desk top
    > folks. i don't get it.
    >
    > tbird
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: dave kleiman: "[fw-wiz] Firewall Log Management Security"

    Relevant Pages

    • Re: [fw-wiz] The home user problem returns
      ... >>do not respond effectively to imposed pain. ... > administrators and their ... i start by describing it as a reward system for proper ... What is the reward for a home user to participate in security, ...
      (Firewall-Wizards)
    • Imam announces Rs 50,000 reward for =?utf-8?Q?Taslima=E2=80=99s_head?=
      ... Security for controversial Bangladeshi writer Taslima ... Nasreen has been tightened after a imam here announced a reward ...
      (uk.religion.islam)
    • RE: How do you become a Cyber Bounty Hunter?
      ... putting out a reward for people who can provide evidence to law enforcement ... > Note that I am not talking about fundamental security ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Pen-Test)
    • Re: [fw-wiz] The home user problem returns
      ... > significant change in their behavior without pain as a motivator. ... Why is this relevant in security? ... that there's absolutely no reward for doing it right (in fact, ...
      (Firewall-Wizards)
    • Re: Microsoft Gives MVP Award to Adware Pusher
      ... S. Pidgorny wrote: ... It was most definitely a security issue. ... reward either directly or indirectly pushed adware. ...
      (microsoft.public.security)
    • Quantcast