This article on developing an awareness program designed for the particular culture of the organization is grossly deficient, but most people working in the information security field aren't aware of it, apparently including those experts quoted in the article.They must understand that everybody in positions of trust hates the constraints imposed by information security controls that interfere with the performance of their work. They hate learning and using passwords, being restricted from access to certain information, locking computers and doors, reporting suspicious events, segregating their duties. That is why information security must be made a part of job performance rather than being in conflict with it.rnPeople in positions of trust must be given the carrot and the stick and be rewarded for exemplary security and punished for poor security before any awareness program is going to be effective no matter what the culture of the organization.rnBy the way your side bar on "Top mistakes users make" is wrong in stating the No. 1 mistake is writing down passwords. Users should be encouraged to write down their many passwords and keep them in a safe place such as a wallet or purse where they keep their credit cards. This facilitates choosing strong passwords. If people must use more than two passwords, they are going to write them down someplace anyway no matter how much awareness training you give them.
展开▼