From a end-user point of view, security is boring. It’s part of the human behaviour: if it’s too much annoying, people will not follow the rules! Even more in the IT security domain.
I read the following story on the CISSP forum today. The question was:
“We are doing a campaign on why users should secure their desktop when they are not at their desk. Does anyone know of a good tale where an unattended/unlocked desktop was used to steal personal information, send an e-mail using the owner’s identity, etc?”
and one of the answers was:
“This is not exactly what you’re asking for, but I can tell you what I’ve seen to be very effective. I worked in an organization where open season was declared on unsecured desktops. What we did was anyone spotting an unattended desktop that wasn’t locked would send an email to everyone in the organization announcing they were buying doughnuts the next morning. It was good natured fun but VERY effective. I do not recall a single second offender.“.
Conclusion: Add some fun (but not too much) into your security presentations or campaign, users will be more receptive!
🙂 that’d be costly in large coorps. I first learned of that joke about 10 years ago in a less costly way and I still do it from time to time. Just send an e-mail to the whole organisation with the subject “I am mailing myself” and “that’s how stupid I am” in the body … sure works wonders.