Lots of money goes into training users on how to follow IT security best practices and policies. And yet breaches still happen because people don’t follow the rules and exhibit generally careless behavior.
Are users not paying enough attention to security because they don’t face consequences for flaunting the rules? Should we punish users for lax security? Over at Naked Security, we asked that question.
According to our poll, 77% of you said YES, users should be punished, if they have had training. Another 12% said YES to punishing lax users regardless of whether they’ve had training. Only 8% said NO.
But could it be that the training is the problem, not the users? What’s missing in user training that makes it so often ineffective?
Our security expert Maxim Weinstein writes about this very problem at the Sophos Security Insights blog on Dark Reading. Maxim tells us that training programs too often ignore the crucial questions of what to protect and why.
Instead of jumping straight into the how of specific rules and policies, security training should explain what you’re trying to protect in a way that makes users understand the importance of security. Maxim sums up the crucial areas of security with what he calls the “Four Cs.”
The Four Cs are computers, credentials, connections, and content. If you can get your users into a mind set of thinking about protection in these four areas, then it will be one small but important step toward a secure chair-to-keyboard interface.
Of course it helps to have an easy-to-understand, and fun, training program for your users. We recommend that you download our training toolkit from our website and customize it to meet your needs.
What do you think? Should users be punished? Or is it up to IT departments to implement more effective training?