Slashdot Mirror
Schneier: Security Awareness Training 'a Waste of Time'
An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"
It demonstrates that car industry has failed. We should be designing systems that don't need seatbelts and don't care if user decides to slam into a tree at 100km/h. Whole concept of secure driving is just an abstract benefit that gets in the way of enjoying driving.
Users can screw up because they are just as human as you. So live with it. Design around it. Make it safe regardless.
I've only been saying that since, mwah, 1999 or so.
Policies are OK, but rules that assume perfect compliance to work are really only there to cloak the failure of engineering in some fault tolerance in system architecture and user UI design. Glad someone finally caught on..
A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.
Love many, trust a few, do harm to none.
He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.
Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.
It doesn't have to be like this. All we need to do is make sure we keep talking.
I totally agree with Bruce here
We should be designing systems that won't let users choose lousy passwords
It reduces the search space I have to look at in order to brute force things, and that's a good thing...
Security Awareness training is a tick the box exercise most companies do to get auditors off their back.
Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?
Users have to be "trained to pick good passwords". This should be system designed to prevent users from picking bad passwords in the first place.
Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. Oh, users should be told "not to write down passwords".
Awareness training is pushed because there are a number of so-called "security consultants" who have no real technical skills, yet have made a living pushing this snakeoil. They unfortunately are also good self-promoters and have the ear of regulators and auditors.
If you are relying on security awareness to protect your infrastructure, you're screwed. Most users don't care, and even those who do care cannot possibly be expected to remain aware of the myriad of threats that exist. Often, their attempts to remain secure achieve the opposite purpose ("I heard you tell me email was insecure, so I use dropbox now to transmit files to customers").
What galls me most is I have to spend part of my IT budget this year spending money on this stupid notion because it is expected by auditors. This means I have to cut back on the security projects that make a real difference.
Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.
I've been doing this for so long that I can sum it up in one sentence by now: If security awareness trainings would work, don't you think we would be seing SOME effect after doing them for 20 years?
Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.
Assorted stuff I do sometimes: Lemuria.org
While I agree with him to a certain point, there is a limit to how far security can be imposed on a user. Security always introduces overhead to doing a job. A user will accept that to a certain point if the reason is explained, however there is a point where putting more onerous security restrictions on a user is counter productive.
For example, if the IT policy is that passwords must be changed every week, be 80% different, be a combination of letters, numbers, upper and lowe case and cannot contain any part of your userID. That sounds safe,however it puts a great issue for users to generate and remember passwords. so what happens? They write them down and security is compromised.
Using the car analogy, the reason that driving is safer now is that the work of driving safely is hidden. Users do not need to work to drive safely, items like anti-lock brakes mean that users are safer without additional workload. What we need in security is ways to make things secure while at the same time reducing the effort to keep secure, for example bio-metrics.
One example is Spam. Spam as basically been defeated not by making but more onus on the email reader but having better spam detection which means 99% of the time users are not aware spam has even arrived
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
I think I understand his point, and I agree in part, but I also disagree. I think security awareness is good, but I think relying on it is bad.
First of all, I think there will always be situations where the security technology fails - social engineering is an obvious example - and ultimately the final barrier is the security smarts of the target. Anything which raises that barrier, even a little, is a good thing. The question, obviously, is whether the benefit is worth the cost of the training.
And secondly, I think in general that making people more aware is always good. People are way too trusting, and that covers the gamut from clicking dodgy attachments to falling for Ponzi schemes. I think it's good to teach people to question more, to think critically, and to be risk-aware. And by "teach people" I mean "starting in primary school".
Its about things like the call-centre operator who gets a call saying Can I check my balance ... yea hear are the details... and while you are on can you tell me my wife's balance too. Its about the shop assistant in a phone shop who has someone asking for a replacement for a phone they just flushed down the toilet - they're desperate, miles from home and have no ID on them but expect an urgent call from their aunt in hospital so need a replacement on the same account. Its about the middle level IT manager who gets a call from a very annoyed board director who says his password doesn't work and you better reset it now or head will role. Its about not lending your access card to a visitor so they can go to the canteen and you are too busy to take a break.
Security training is very important, but it needn't concentrate on systems.
is that many companies are too lazy to even get the most fundamental things right. Why on earth would you not distribute your own CA fro your internal web services? Do you really want to train yout employees that clicking on the "accept certificate" button is an everyday thing to do? Why dont you manage to get the security settings in a way that "content from an unknown source" is not "content from you own file server"? how the hell shoud the office assistant know that this is dangerous and theoretically unusual if in everyday work the instruciton says to accepti it several times per day? why yould you enable macros in office documents for no reason and not sign the document?
All security training, hints like "be careful when opening attachements from unknown sources" are anihilated if you train your employees everyday to do the exact opposite thing, namely constructing worflows and selecting toolsets which are requiring exactly that.
My 2 cents on this
a) If there is a "do not use/do x" in your security education, then something is wrong. The right way is "use/do y"
b) Construct your standard processes in a way that your users/employees can work secure *AND* efficient.
c) If there are new tools and your users demand these, keep an open ear! Note to the management: reserve some bugdet for it. If users find dropbox an efficient service, the right way is not to forbid it but to ask yourself why you cant provide any decent file sharing on your own servers.
His examples are about forms of security or safety in different areas, but that really isn't that important for the point he's making, which is not about the type of technology involved, but about human behaviour. If we recognise short or medium term consequences we're far more likely to adjust our behaviour than if the consequences only affect us in the long term or if the link between cause and effect isn't clear. With the current state of IT the link is unclear, so training people will not be very effective. Energy is better spent on adapting the technology to the limitations humans have.
These are invariably give and take.
People simply need to be smarter. They aren't. No amount of precautions which do not inhibit functionality will help. People want to do what they want to do. The weak link is almost always the people and you can't control them with computers. You can limit what they do, but now you're encroaching on usability.
The end user training may be a waste, but we definitely need security training for management. More than once I have implemented systems that require strong passwords, hash those passwords, and perform strict certificate validation only to have the customer demand no password requirements, clear-text stored passwords, and lax certificate checking because they are lazy and their IT people are incompetent.
He is correct. User training is largely a waste of time, and both in development, and deployment, the systems are not designed or setup for security. So yes, users clicking a link is not safe, and it should be. Users opening an application and reading data should be safe, but isn't.
These problems have to be engineered out. They cannot be socially controlled out, the audience has neither the inclination, knowledge or interest in resolving this. And even after training, once its established how you've trained your monkeys, a new method will be established that undoes the training.
The whole industry is still in its infancy. Its building bridges that are made from cardboard, and without any form of certification or regime. This will only be resolved when it becomes apparent that software providers cannot ship things like 'our software cannot be held accountable for anything, have a nice day'. Nobody in the world making bridges gets away with 'if this bridge falls down, we are not accountable'.
The Adobe and Java scenario is exactly like this. Both are wholly unaccountable, and yet frankly directly responsible for perhaps billions upon billions of dollars of data loss, theft, security breaches, and so on.
There is no_fundamental_reason why people should even bother to make their software secure - so they only ally a baseline effort to the task. Until this is addressed, the rinse, shampoo, rinse, shampoo will repeat. And its actually why the security landscape is degrading. Things like Metasploit may have seemed to help. But fundamentally the white hat hacking and info security folks have ultimatly not helped. Its only highlighting how bad things are, putting guns in hands that should not have them, and making things globally worse. The vendors have not changed by very much.
We`re all equal
This is a rose colored glasses view. If everything was perfectly designed, perfectly implemented, and used by knowledgeable users, sure that might work. We live in an imperfect world run by lowest bidder wins, quickest product to market, "good enough" security to not get us sued. This will not change. as long as the focus of a product is to make someone money, it will only be done "good enough" with the focus being minimum invested for maximum return. I believe the security of products are getting better all the time. But the majority of the time, the weakest link in the chain of security is the user. Why do you think that Social Engineering is so widely used? Simple really........ BECAUSE IT IS EFFECTIVE. why go through all effort necessary to exploit a system when a simple phone call can net you the same result? Technical Security can only protect you so far... you have to involve users in your security plan or you are simply keeping your head in the sand....
What's this we shit? Why don't you practice what you preach and design a system from the ground up with enhanced security in mind?
I mean, it's not as if you are saying anything that hasn't been said for what, almost 20 years now. I know all the flitting back and forth to conferences and whatnot is exhausting, but to me, Bruce, you are becoming more of a Pt Barnum of security and crypto every day. Self promotion and loud noises / flashy things but in the end it's all just rehashes of what other people said before.
By far, the weakest link in almost any programme nowadays is the user. Most times people claim their account has been "hacked" is because they fell for a phishing scam. While I'm sure some companies are doing it hideously wrong, but if a couple hours of training stops even one user from giving up their password, it could save hundreds of hours of work, nevermind all of the other wonderful legal consequences.
But no, let's just give up entirely, and let the scammers win.
You'll never make a computer system completely idiot proof, a more impressive idiot will ALWAYS come along. "Security Awareness training", or at least some pamphlet or something handed out to the departments is only going to help. While it is very true that the primary focus should be on securing the system as much as possible, letting the users know some of the simple rules to follow to help keep it secure is always a plus.
The main failing of passwords are passwords - so get rid of them simples.
I read the points he is saying, and I respect Scheier, especially in terms of the work he did earlier.
He makes some interesting discussion points, but it mostly seems to boil down to that we have to fix things from an engineering perspective, and let the rules of thumb about security spread by osmosis.
I would say, while there are still gains to be made at the engineering level, for many organizations serious about security, the low hanging fruit has already been taken care of mostly. Going further would often require complete reorganizations of the way they work, all their applications, and their network infrastructure. That is simply not an option that's on the table right now for most organizations. Also, a lot of the current weaknesses come with at least some level of social engineering. Making sure people properly notify the right people of fishing attempts, pointing coworkers to not wearing their badge, or keeping security basics into account, it is something people will only do if they believe it has some importance to them. A proper security awareness training can give them that. Yes, you can not teach everything there, but if done properly, you will give people more willingness to do something. And that can make a lot of difference when you deal with advanced threats (I hate the APT term, but have yet to come up with something more appropriate).
Yes, 95% of security awareness trainings suck, but lets face it, 95% of everything sucks. That doesn't mean that there is nothing useful to convey.
Perhaps Schneier has always seemed a bit out of touch with the reality in organizations, so it's amusing to read from him (from TFA):
Well, I have met actual users, and I would say they could learn about some basics like 'dont give your password in exchange for a chocolate bar offered by the coughing guy in the trench coat on the parking lot'.
Security training is a necessity, but its almost always done incorrectly. As much as it shocks us there are still hordes of workers who have no idea what spearphishing is or why anti-virus doesn't wholly protect their computer.... My belief is that once a year and at start date of the employee you have an online brief going over basic security/what to look for, reinforce the fact that the network and individual systems are monitored and let them know what the penalties can be for not practicing what they are learning. You make it so you have to click a question every 2 or so slides so they cant just click through and then the kicker is if they dont pass they dont get to take the test again. Everyone who fails has to go to an in-person briefing with security and corporate leadership.... Guarantee more attention is paid to the content when the possibility of looking like a dummy in front of the bosses is there (and yes I know the bosses will probably fail too...)
And of course everyone should agree better security implementation within systems, networks, apps, processes and etc... should be accomplished. Thats a no brainer. But by no means should we just disregard trying to ensure the user base who has never heard of half the shit talked about on Slashdot have some kind of basic knowledge of what can go wrong when they open up furry_kittens.flv on their work machine...
News Reporters Make Tasty Polar Bear Treats!
Schneier is right, but such wise advices don't play well with the industrial rethoric of "creating jobs". Its harder and less lucrative to make good developers than sending cops to patrol and having users to buy silly security patchworks. The problems of the security industry are buried deep into its own reasoning and opportunistic behaviour.
But some people really are security idiots who click on phishing sites!
And what do I see just to the right of the lead-in about how Bruce Schneier says security awareness training is a waste of time? An ad for Kevin Mitnick's Security Awareness Training.
Time's fun when you're having flies. - Kermit the Frog
It's all about how you present the security awareness. Start by asking a simple question: "Do you care about your profile/account/access?" Then keep it simple from there. Just one or two one-lined paragraphs or bulletpoints, or a video lasting max 30 seconds. Use emotions and feelings and pack it all up with kittens and upbeat indie music. That is how you get it into the skulls of the mediocre masses.
This point of view smacks of "if we just worked a bit harder/longer we'll be able to build a perfectly secure system".
It aint gonna happen. Not for a system as sprawling as the internet, not for a system with as complex requirements as an operating system.
The more you know about security, the easier it seems to do what is required to improve security - but you have to have very tight control of platforms to be able to follow through on implementing that security. And tight control prevents innovation. Often, security reduces the usefulness of a product.
Convincing everyone in the IT world that they need to spend $ on educating developers and implementing security features is an insurmountable task - and even if you manage it, you still won't be done, because the security issues we understand now and have fixes for are only a subset of all security issues. New types of holes will be found continuously.
Of course, end user training might still be a waste of money - I can't deny that.
systems that don't care what links a user clicks on
Definitely. As far as is possible we should stop users accidentally doing something stupid by making sure that they can only do the right things. This is not always practical though as for a start there are factors outside our control (for the password example we can't control how the user might store and potentially distribute their credentials in other services (password managers) or in the real works (bits of paper)).
systems that won't let users choose lousy passwords
I can't see a way that could be implemented which is not essentially an attempt to enumerate the bad, which is never a good idea. Even if it was for the most part, some of the things that make lousy passwords are again well out of our control: there is no way in software "don't use the same credentials for everything" can be enforced.
Security awareness is a lot more than just properly managing passwords and such - there are real world interactions that users need to be aware of so some training is definitely needed no matter how close to perfect the security in your applications is.
we should be investigating in technologies that detect password misuse or the unauthorised install of software on a user's PC.
Unauthorized by whom? There are plenty of tools for web development, remote assistance, and accessibility that show up as "potentially unwanted programs" in certain spyware checkers. A web server could have been installed by a web developer testing his own web application, or it could have been installed by an intruder to serve up kid porn.
Sure - I agree, the system should prevent the user from picking bad passwords or clicking phishing links... but what about the social engineering attacks? thats way more of an issue.
I've seen Schneier all over the place recently - does he have a new book coming out or something? Why is he suddenly so visible?
What I don't get... is why we even still have passwords. Why don't we all have Read only USB security dongles that confirm our identity? For banks, for work, for your medical records? The rest of the sites... Slashdot for example, who gives a crap. But a universal HARDWARE standard for sensitive info seems like a rather simple solution to do away with all this password nonsense.
Telling people what they need to be doing, and then never punishing them won't work. If people start getting fired for failure to follow security practice, it would stick more. And communicating good security practice doesn't require a consultant or speaker. There are videos out there; examples of what to look for. I agree hiring a big name to train everyone at your company who uses a computer is a waste of funds better spent, but ignoring the human element is willful ignorance. It is disingenuous for someone with a security background to even hint that technology could ever reach the point that it could prevent users from insecure behavior. The fleshy computers have to get patched too, and when they stop accepting patches, you ditch them and get new ones. You find out if the patch was installed by testing them.
refactor the law, its bloated, confusing and unmaintainable.
The security of a computer is only as strong as its weakest link, and that weakest link is almost always the 6 inch gap between the ears of the computer user. And because the compromise of an entire network is easier to achieve once a single computer on the network is compromised, that makes the security of the corporate network only as strong as the weakest link... and every time you think you have found your company's dumbest user, you find another one who makes your previous candidate look like an IT geek. :)
So you almost have to plan for "when we have a breach, how are we going to mitigate it and recover" instead of "if we have a breach, how do we hide the evidence", while knowing that the company management will almost certainly shoot down your plan on cost grounds and then fire your ass when the breach occurs.
Because the problem with IT security in most organizations isn't training the rank and file, or building more-secure systems. The problem is that you can have all the IT policies in the world (coding standards, complex passwords, granular access), if they're not enforced with real consequences for ignoring/avoiding them, then it's all useless. Case in point: I once worked in a Fortune 500 company that had a pretty strict password policy (change password every 90 days, upper/lowercase/special characters required, etc). Everyone was required to adhere to the policy... except senior management, who felt it was too inconvenient. The CEO's password was the name of the company in lower case, and it never expired. Suggesting that they be required to adhere to the same policy as everyone else was a terminable offense.
Unless people get fired for violating IT policy, the policy might as well not exist.
Never underestimate the power of stupid people in large groups.
Other wastes of time:
Driving School
Hunter Safety Class
Swimming Lessons
First Aid Course
Condoms
Proverbs 21:19
It's not enough to train programmer.
We need to have a serious code of ethic and severe punitive if we don't abide by it.
Like layer, like engineer, our job can bring disasters if we are "forced" to make it in a way that is against the code of ethic. And God knows how many time our patron ask us to do things that we are not suppose to do in our "field".
You nailed and your scenarios take me back to Air Force basic training. There was a "dorm guard" appointed who had to watch over the door and ensure that no unauthorized individuals were let in. An instructor would walk up to the door and show his ID; we had to check it against a list to see if this guy is allowed in, even if it's somebody you know and trust. "One white common access card....Sgt. Jones" *looks over at list* "One white common access card....Sgt. Jones. Access granted. Please stand clear of the door sir." The instructors would do crazy shit like flip up a picture of Mickey Mouse then demand to be let in, yelling and screaming etc. Random instructors would show up out of uniform and demand to be let in for some plausible sounding reason. If you fell for any of it though and violated protocol they would tear your ass to shreds.
Maybe we should computer users off to IT boot camp? lol.
'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,'
----
Uh huh. And when the owner / C level individual comes over and says he wants his password to be "airplane" because that's the only one he has ever used and he's not remembering a new one, what would Bruce Schneier tell them? No? Fuck you?
1) Tell people about social hacking/engineering.
2) Tell people about common tricks like infected flash drives being dropped in parkways, calling and requesting a password, etc. etc.
3) Warn them that sometime during the year, YOU WILL TRY TO HACK THEM.
4) Tell them if they fall for the hack, they will not get a bonus that year. (It helps if you actually give out yearly bonuses - even $100 will be fine)
5) Actually test them two months later.
6) If they fail the test, send them an email and require that they take your 10 minute class again.
I have found that if you do this, then people learn. The threat of losing even $100 bonus a year is more than enough to get people to stop being stupid.
Note, this will not stop people from downloading things from the internet and/or playing games. But it will stop them from picking up random flashdrives and using them - as well as stop them from giving out passwords over the phone.
excitingthingstodo.blogspot.com
I'm surprised so many slashdotters agree with Schneier, when this view of security is overly simplistic idealism. To continue the car analogy... As with the safe operation of a motor vehicle, some responsibility lies with the operator of the vehicle and some lies in proper design and maintenance of the system. The average driver no nothing about how the air bag is designed or how crash zones work. They may know nothing about routine maintenance such as changing the brakes. If these are not done properly, no matter what actions the driver takes the car is not safe. Conversely a perfectly designed and maintained vehicle can be operated in an unsafe manner by an operator. A computer operator, as the driver a car, will always be able to operate the equipment in an unsafe manner. You might be able to make a user have a secure password, you can never prevent them from logging in their friend or falling victim to social engineering. Schneier's inability to recognize that a good security policy INCLUDES staff training brings into question his judgment.
Buffer overflows, heap corruption and many similar bugs are found easiest by someone who has access to the source code and can understand it. However, not all problems can be laid on the developers. Phishing is a problem that developers that can hardly prevent. Also, users need to understand URLs (http://www.google.com.somewhere.else). At some point, users are always forced to trust software they did not write, and on a modern computer that has been used for a while, no one can assure that no malicious code has been installed, whatever antivirus vendors say. However, users need to be able to detect signs of infections.
Despite all that, clearly more security by design is needed. Reading about all the patches for Windows, Flash, Adobe Reader and Java makes me sick -- instead of building new features that are rarely needed into these systems, security should become a top priority for high-profile software. Simple mishaps put millions of users at risk. While Microsoft has at least instated measures (secure development lifecycle), similar efforts by Adobe, Oracle and Apple seem to be lacking.
01. For no reason whatsoever, your car would crash twice a day.
02. Every time they repainted the lines in the road, you would have to buy a new car.
03. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue. For some reason, you would simply accept this.
04. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.
05. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive -- but would run on only five percent of the roads.
06. The oil, water temperature, and alternator warning lights would all be replaced by a single "General Protection Fault" warning light.
07. The airbag system would ask "Are you sure?" before deploying.
08. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.
09. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car.
10. You'd have to press the "Start" button to turn the engine off. link
AccountKiller
Also, we have an entire antivirus industry just to pick up the badness left in the wake of broken software.
Why don't we...y'know...fix the broken software first?
Defense in depth.
User awareness enables to a certain degree users to be more vigilant. Whether this 'control' is effective most of the time is the issue.
When it comes to money and investing in controls, the argument can be made that it should not be prioritized on security awareness, but it shouldn't be abandoned anyway.
Just like antivirus, useless for the most part against signature evading threats, but those common, basic, yesteryear threats are still there, and the case can be made that AV should still be around, although it is definitely not seen as the primary protection layer it once was thought of.
with a test drive and credit approval but it's just a way to get in front of a high pressure salesman.
Especially your noting PERSONAL interest - that's everything, more than anything. IF you "give a hoot" about something & find it interesting, you'll become involved in "how it works" as best you can @ the nuts-N-bolts levels. Otherwise, you're wasting your time (and won't do well in it either, or as you put it, "in 1 ear & out the other").
HOWEVER: When you DO have someone that's genuinely interested (in anything really, just using a concrete specific example from my own experience in this very area - showing others how to TRULY secure a Windows NT-based OS as best as is currently possible)?
THIS is the kind of results you get & this is a discrete example of it by quoted testimonial from THRONKA below:
To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.
That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...
Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does a
"Security Awareness Training" == "Working hard today to prevent yesterdays problems tomorrow"
Which also happens to be the TSA's motto.
Yes. That is the goal of security training. Not to fill in the security blanks left by bad programming and design.
I have seen appropriate training stop attacks before they caused serious damage because the primary message was "If you see something odd, speak up."
Similarly, most people do not understand how the criminal underworld works. A few stories about fraud or attacks that affect business in your sector and you have a far more cooperative employee base.
The goal is not to make every employee part of the security staff. The goal is to help the employees understand how their behavior can affect the business and them personally.
The story is Bruce Schneier slamming security awareness training--but the banner ad is for Security Awareness Training with Kevin Mitnick.
I'm going to go have a ROFL fit now.