Ask Slashdot: How Can We Create a Culture of Secure Behavior?
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
In my 25 years working in IT, none of my passwords, weak or strong, have ever been hacked. Even my teenage sons, who have no idea about password strength, or site security, have never been hacked. And I doubt YOU can point to a single instance of someone hacking YOUR password.
Does password hacking happen? Yes, of course. Should we be careful? Yes. But there are much greater dangers, such as malware (which you no doubt HAVE had a personal brush with).
So if we need to put up with annoying security measures, let's at least focus on the more relevant dangers, rather than forcing us all write down our passwords and stick them to the bottom of our keyboards!
Or more succinctly: incentives matter. What incentive does an employee have to keep data secret? Will he be demoted in rank and lose pay if he does something stupid?
What incentives do companies have to maintain a secure infrastructure? Will their insurance policy hold them liable if they do not?
I'm just in the middle of polishing up a puppet module to deploy a bunch of new certs on my infrastructure. My incentive is that my reputation looks pretty bad if I advise clients to be secure but my own infrastructure is not up to snuff. That's really an incentive to avoid lost opportunities, I suppose.
Google is talking about scoring up pages that are secure. Another very wise incentive.
Let's keep this ball rolling: what other incentives can we offer or explain?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
How many ATM heists and skimmers have their been over the past 10 years? I'd hardly say it's working WELL.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
It's working quite well. The cost of all that is very low on the scale of the banks and that's what matters. It's simply not about "0 incidents", it's about limiting the damage to little enough that it's not important.
Partly that depends on the bank, of course, as some are total dicks about it if your card gets skimmed, but that's a customer service problem. Detecting the problem, limiting the cost, and so on are all important systems that banks take seriously. And the banks are gradually making systemic, low cost changes to reduce the ease of skimming, or of hacking an ATM, but they're not in a hurry as it's just not that expensive of a problem (how many ATM heists to equal a single mortgage default?). More importantly, they're not trying to fix their customers!
Socialism: a lie told by totalitarians and believed by fools.