The title is from the refrain of a song that was popular many years ago, “Where have all the flowers gone” that was sung by Peter, Paul and Mary. I loved the folk music genre then and I still do today. The question, though, applies to cyber security and it was asked (in a wholly different way) by Roger Grimes in an InfoWorld blog post on May 20th of this year. The post is titled “6 things security pros keep getting wrong”. Number 3 addresses educating end users. Grimes concludes that section with “We need to teach our end users better about phishing and social engineering and what steps they can take to verify any suspected email or Web offer.” I agree. There are, of course, many things we need to teach our end users, and these are just some of the important ones.
I think we need to teach them some of the “whys”, too. Why should I change my password? Why is a complex password better than a simple one? In my humble opinion, users are more likely to do the things necessary to help with security if they know why they are doing them. Sure, there are some who don’t care and just want to do what’s necessary, but telling people that one reason to use different passwords for different websites is so that if one is compromised the bad guys don’t get access to all your information, seems to help to make it stick.
If people knew that there exist scanners that can duplicate office (and hotel room) key cards, and that the scanners are affordable to buy or build, they’d be more likely to keep the key cards in the protective sleeves they got with them. A demo of such a scanner, or even a video of a demo, would reinforce that even more. The idea of teaching the “why” and actually demonstrating it is just good practice for helping people learn. If we can reinforce what we tell people it helps them retain that knowledge. Learning and advertizing people know, too, that the axiom “show, don’t tell” isn’t just for fiction writers – it helps the learning or marketing message stick as well. In Learning Tree’s 3-day course – Social Engineering Deceptions and Defenses – we use hands-on exercises, to teach motivations and methods used by social engineers to better protect your organization and prevent data breaches.
When you create that annual or semi-annual cyber security briefing for your users – whether it is online or live – work with good instructional designers to ensure that people actually know what to do. If you do that, they’ll be more likely to actually do the right thing.
What is your briefing like and how could it be improved? Let us know in the comments below.