Security Education, Training, and Awareness

Most organizations, I believe, put more effort into security policies and compliance with those policies than actual security.  There is a belief that the more “security type settings” we enforce on systems, the more secure they will be.  My currently used security template is over 250 pages of settings that are required to be set on the base OS of each server we deploy.  Most of the time, these settings are blindly followed because they are required, and nobody really knows what most of them are, anyway.  The end result of this policy is a loss of functionality for our end users, along with confusion for our admins and security administrators.

http://iase.disa.mil/stigs/os/windows/2008r2.html

While we do have security personnel who are very good at their jobs, and in reality, do a very good job of securing our networks, we could have a much better overall security stance if more in-depth education, training, and awareness programs were provided to the admins and users.
We currently have security training; however, it is always something like, “Don’t click unknown links.”  As an Admin, I often face questions from users of why certain websites, software programs, or behaviors are not allowed – usually things that are very simple on the users’ home PC.  A lot of the time the answer is, “Because the policy disallows it;” I honestly don’t have any idea why the latest version of some software is not allowed on our network, and yes, I know it works great at home.

https://www.sans.org/reading-room/whitepapers/awareness/security-awareness-training-privacy-394

Unfortunately, I believe this creates an “us against them” attitude for everyone.  As an Admin, I really would like to know there was some reason for this policy other than someone ruling on high (who may or may not have ever actually seen a computer).  And as a user, tell me why it is almost impossible to perform some tasks at work that are commonplace elsewhere.  Just like kids who are told “No,” our first question is almost always, “Why?”

http://www.symantec.com/connect/blogs/awareness-education-and-training

If there was more security awareness (exposure), education (study and testing), and training (hands-on) – both upwards and downwards – a better understanding of our security policy could be achieved and a more secure environment would result.  As an Admin, I would know why I was utilizing a particular setting and why not to disregard it when it was inconvenient.  As a user, I would have a better understanding why I can’t use the latest desktop widget – even though it might save me time and effort – and would be less likely to try and circumvent the system.  Communication is critical if you want everyone involved and on-board for security initiatives.

http://www.sans.org/reading-room/whitepapers/awareness/developing-integrated-security-training-awareness-education-program-1160?show=developing-integrated-security-training-awareness-education-program-1160&cat=awareness