And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

You're a really sorry loser, posting ad hominem attacks against people you know nothing about as an AC. 20 years of online experience tell me one thing: There's a 95% chance that you are in fact the exact opposite of the man you pretend to be if you act like that.

While I agree with your main point, equal rights is not the problem. Equal treatment is. We have the same rights, feminism has won long ago. But in many areas men and women are still treated very differently. Sometimes the women are treated badly, and there are many feminists making a big scandal of it, and sometimes the men are treated badly, and almost never anyone says a word.

Blame Twitter. If you had more than 140 characters available, you could properly voice your opinion in a way they cannot find fault with, for example by lauding them so excessively that anyone with three working brain cells understands what you really want to say.

Twitter is a free SMS broadcast service and public link sharer, nothing more. People use it for stuff that they really should take a minute of calm and a slightly longer text format for. Brevity is a virtue, but only really good writers can properly convey a complete thought in a short sentence.

If efficiency were your policy, you'd stop applying special rules based on arbitrary distinctions. While deeply engrained in our culture, there's no reason to treat families differently from other people travelling together, who may (or may not) have equally compelling reasons to want to sit in one row.

Airlines have destroyed their own customer friendliness by collectively fighting a price war until the point where they need to make you pay for napkins so they can operate profitably. I personally find it insulting that some arbitrary rules give some people priviledges that other people have to pay for. Do it 100% or don't do it at all.

So the link the AC posted is correct, I assume?

Twice as much is not too expensive for my eyes. I can also check if my insurance covers it. My main concern are side-effects, especially permanent ones.

Do you have a name, link or any other information on this? I'm seriously interested, because I would love to get rid of my glasses (haven't had them for very long, so I'm still getting used and I don't really want to), but even without medical advice I understand that irreversible surgery on an eye is not a good idea.

Which foundation? Boring people for half an hour with stuff they couldn't care less about? I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

For all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

Not at all. If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with. The problem is that culture is pervasive, so if the culture is different, you cannot change it just for this one thing, you need to tackle the entire corporate culture, and as soon as you start you have enemies, namely everyone currently profiting from the existing culture.

Not everyone can train people. Almost nobody can train all kinds of people, because they need to be trained differently.

More importantly, not everyone is acceptable as a trainer. Many, especially smart people, don't like being trained by someone they consider to be their inferior.

Security awareness training in companies is largely nonsense. Your scenario is different not because of your memo, but because your people realize that something more important than shareholder value is at stake. And I dare to say that your weekly reminders are the secret, not any awareness training. Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up. It doesn't matter if people read it at all, what matters is that they consider it long enough to activate the desired memory of adequate behaviour, which means 2-3 seconds.

And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

Frankly speaking, the reason I never used LinkedIn at all is that even their legitimate mails are indistinguishable from spam. Including the fact that if you ask them to stop, they won't.

The real truth is something that most men have trouble understanding: That women, like lawyers, have no problem at all holding two mutually exclusive opinions at the same time. They want to be skinny and make a diet and they want to eat that cake. To many women, there's no conflict in that.

And when it comes to equal rights and stuff, they want to be equal, but treated specially, and they don't notice that these two things cannot co-exist. You can be my equal or you can be my princess, but you cannot be both.

+1

Anyone can push for anything in our society. If you hate Free Speech as well, just come out and say it. Also, unions are not deep sea monsters, they are groups of people, so claiming that people didn't, but unions did is just more handwaving.

I'm not a big fan of our current political system. But you're a lunatic. Individual people have the right to form these organisations and have them push for legislation. It's how the system works. It's actually a pretty great part of the system, because through unions and other organisations, groups of individually weak people can accumulate enough voice to actually be heard.

Yes, that's their job. It's because total competition is good for the bottom line, and bad for absolutely everything else, including society, freedom, health. Read a history book about when and why unions formed. You want to go back to the times before that, when people worked 16 hour shifts and serious health issues or death were regular results of your work conditions?

This is the first time ever I've heard anyone call the New Deal "horrific". You do realize that even the hardcore Keynesians who argued strongly against it at first later on agreed that it was a success, yes?

You could've said that earlier, it would've saved me a lot of time if you had admitted that you are completely delusional and honestly believe that in the employee/employer relationship, the employers are the weaker party. Now I understand why you're afraid of majorities dominating minorities - you are a member of a very, very tiny minority with that POV that the real world refutes every minute of every day.

And your advise to the wolves one sentence before that is to become sheep. Priceless. :-)

anecdotal evidence isn't, and a single data point is meaningless in any and all statistics.

Sorry, can't answer, I'm laughing too hard.

hogwash. It's a law. Laws are passed by elected representatives, which is the form that we, as society, have agreed upon. Saying "this wasn't society" is the same handwaving as saying "it wasn't me who pulled the trigger, officer, it was my finger".

Which is why it exists in a hundred other countries who don't have the US racism, yes? Try again, maybe with an argument that survives for three seconds.

If you don't like democracy, how about you say it outright? If you have a couple million people, then no matter what you will always find "plenty of people" who disagree. You could pass a law that says the sky is blue and you'd find people who dislike it. That doesn't prove a thing and it's not an argument. We live in a society that has agreed that majority decides which way we go. If you don't like it, at least say you hate democracy. But I'm pretty sure you don't - you only hate it when you're not part of the majority, right?

Yes, but in that case there is an objective, rational reason for it. That's quite a different category from "I and some other people don't like it".

You are entitled to your own opinion. You are not entitled to your own facts. Unless you have actual evidence of economic damage, you're spreading lies here.

Maybe you shouldn't throw cheap ad-hominem attacks on people whose educational background and profession you don't know. There's a real danger it'll make you look like a complete idiot later in the discussion. ;-)