Re: Buying into the Security Culture
You are correct - the weakest link is usually the user community, and is also the most difficult challenge to overcome. The key is to engineer their behavior through awareness training, and transform the organization's culture to include secure practices. Security awareness training is such a difficult task because there are so many different personalities involved. However, measurable training effectiveness can be achieved by delivering a message that becomes personal to the individual, so relating secure practices at work to their personal activities definitely helps. When you think about it, secure practices at work are really not much different from secure practices in one's personal life. When I deliver awareness training, I start with its implications on personal activities - online banking, shopping, social media, etc. That gets their attention all the time, and always results in lively discussion. Then I introduce corporate secure practices and demonstrate how those are not very different from the same ones I advocate they use in their personal activities. I think this method allows for better retention and effectiveness. Having said that, organizations should definitely have strong user controls in place, and should anticipate that users will attempt to circumvent them. When coupled with effective awareness training, the combination goes a long way towards the goal of transforming the organization's culture to include secure practices.