Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Training for Company's Employee

From: Saqib Ali <docbook.xml () gmail com>
Date: Thu, 22 Sep 2005 10:15:08 -0700
Bruce Schneier wrote in his book:

"Many security awareness programs are considered to be worthless by
security professional, and I'm inclined to agree with that assessment.
In researching the problem, I've discovered that far too many
so-called awareness programs are nothing more than speeches informing
employees of the consequences of illegal activities. The focus is on
employees' misbehaviour and on penalties.

Threatening to to fire people caught stealing secrets is not only a
waste of time, it's counterproductive. It's no wonder that "security"
has such a negative connotation for so many. People learn to fear the
word, and they report incident to the department only as a last resort
- and sometimes only when they believe they are being set up.
.........

Program that focus on penalties do nothing to educate, and that should
be the primary purpose of any awareness program."

Buy the book < http://www.schneier.com/book-sandl.html > for Bruce's
recommendation for creating a Security awareness program.


On 9/19/05, Syn Ack <thin.hack () gmail com> wrote:

Hello listmembers,
I've just began a new job two months ago and I'm currently in charge
of improving the information security level in our company. As part of
this process I've been asked to create a InfoSec training for all the
company employees. I plan to split my training in several classes for
different kind of audience: general, management, sales, technical,


--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: