A Security Guide For Non-Technical Users?

kin_korn_karn asks: "Like many of you, I am the family IT department. I cannot convince my parents to follow proper PC security procedures. I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use. They, like many people of their generation, seem to be willing to sacrifice security for convenience, as long as their real data isn't being impacted. I can't seem to get it through to them that it's only a matter of time until they are. Since my own arguments aren't working, I need documented proof to back it up. Can Slashdot offer up some kind of arguments or information that I can use?" "Does anyone know of a guide to IT security that:

a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'

b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.

c) Explains what threats each security measure protects the user from.

d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)

It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."

Ultimatum

[Wiseleo]

Hi Mom,

My clients are required to be at a certain level of security before they are eligible for our unlimited support plan. Until that point is reached, hourly billing is used. The reason for that is because it takes a lot of effort to keep their systems running smoothly at that point, so it's not profitable for us to keep them on the unlimited support plan.

You are enjoying unlimited no-charge support from me, but it takes away from our time to talk with each other. Wouldn't you rather talk to me about stuff other than work when I come to visit you? If so, please follow these simple guidelines and don't install any software unless you call me first.

Thank you Mom :-)

Demonstration

[JWSmythe]

I've had some good success through demonstration, and letting them make mistakes.

    My girlfriend is pretty good with her computer. She made mistakes before I met her, and learned from them.

    Her son has his own computer, and had made mistakes himself. With some stupid online game, someone got into his account, and messed it all up. His password was his own first name. I showed him some password scanning utilities, and explained how they work. I then described for him what a "good" password is.

    He then asked me "Can you hack their account, and mess it up?" I told him that I could, but I won't. Could I? Maybe. Maybe they were just as stupid themselves, and used easy passwords. Maybe if I looked around enough, there was something exploitable on the site. I wouldn't though, to teach him that revenge doesn't solve anything.

    I've shown both of them the joys of packet sniffing. While most of it was over their heads, showing them their own password was useful. "Look, I'm a hacker, and I can see everything you've done. To avoid me doing this, you should .... "

    Honestly, the best way I've found to protect myself is to learn what the bad guys are doing, and solve the problem. You have to teach them what the problems are, and how to protect themselves.

    It's usually better to teach someone yourself. You can judge if they are absorbing the information, instead of letting them skim over the pages that are greek to them. "Password security? Ya, I have a password. It's 1234."

    I've seen so many people in office environments who are just told "don't do this", but they don't understand why, so they'll still make mistakes. How many zombie machines are out there on the Internet right now, because people didn't understand what not to do and why?

    Be Mr. Evil Hacker for a while. Mess with them. Tell them exactly what you did, and how to fix it. If you keep messing with them, it's very likely they won't keep making the same mistakes. There's no need to do anything particularly damaging. More than likely, they'll do it on their own. :)

    In the last couple years, I've reinstalled Windows on my XP workstation three or four times, from using bad practices. It's my own dumb fault for doing things that I know I probably shouldn't be doing. Of course, I'm doing them to see how they work. :) Neither my girlfriends machine, nor her son's machine have had anything bad happen to them. I've even broken my Linux box, from doing very ill advised things. Doing it once gives me the experience of "what happens if....?", so I can help other people later. For me, I don't really care if I completely hose an OS installation. I'll wipe it out and reinstall. I always have another machine that I can use. :)