The Greatest Security Flaw Is People, Stupid

By Alex Handy

April 18, 2008 —  Five years ago, Winn Schwartau decided that network security was pretty much a solved problem. Sure, there are still many potentially debilitating attacks that can’t be blocked, and a determined attacker is still the most dangerous of threats. But Schwartau saw a much more significant hole in enterprise security: the minds of its employees.

That’s why Schwartau founded SCIPP, a non-profit organization that trains and certifies non-technical users. Schwartau’s programs favor engaging speakers and a flair for entertainment and humor, rather than simply threatening the users with punishments for not following security guidelines.

“There are techniques for measuring the security awareness knowledge base. In advertising they do the same thing. They measure and gauge response through feedback mechanisms and market testing,” said Schwartau. “We do the same thing with SCIPP. It’s not just sending out one e-mail a year. It’s an ongoing campaign based upon impressions.”

Schwartau took issue with traditional security classes for non-technical users. “The difference is they go, ‘Thou shalt not do this.’ An enterprise worker goes to work and doesn’t care about policies. He cares about getting a paycheck. What he does care about is protecting his family. I can teach you how to protect your kids and how to protect your identity, then I said, ‘By the way, this is all we want you to do at work.’ Instead of HIPAA, we might call it you personal info. Instead of Sarbanes, we use your credit card number,” said Schwartau, describing typical examples of data he teaches to protect.

Schwartau’s non-profit, SCIPP, performs classes around the US and can be found online at www.scippinternational.org.


Related Search Term(s): Security

Share this link: http://www.sysmannews.com/link/32053