Forgot your password?
typodupeerror

Comment: Re:well (Score 1) 126

by Tom (#47537637) Attached to: The Psychology of Phishing

I gave an example of ensuring it's not.

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

Writing policy is not the same as educating people.

That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

Because everyone is exposed to and knows as much about security as you do right?

No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

Comment: Re:well (Score 1) 126

by Tom (#47535431) Attached to: The Psychology of Phishing

Ahh, so you work at one of those places with horrible culture.

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.

Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

Comment: Re:name and location tweeted... (Score 1) 822

You're a really sorry loser, posting ad hominem attacks against people you know nothing about as an AC. 20 years of online experience tell me one thing: There's a 95% chance that you are in fact the exact opposite of the man you pretend to be if you act like that.

Comment: Re:name and location tweeted... (Score 0, Troll) 822

Men really need to start to stand up for equal rights.

While I agree with your main point, equal rights is not the problem. Equal treatment is. We have the same rights, feminism has won long ago. But in many areas men and women are still treated very differently. Sometimes the women are treated badly, and there are many feminists making a big scandal of it, and sometimes the men are treated badly, and almost never anyone says a word.

Comment: Re:What?!? (Score 1) 822

Blame Twitter. If you had more than 140 characters available, you could properly voice your opinion in a way they cannot find fault with, for example by lauding them so excessively that anyone with three working brain cells understands what you really want to say.

Twitter is a free SMS broadcast service and public link sharer, nothing more. People use it for stuff that they really should take a minute of calm and a slightly longer text format for. Brevity is a virtue, but only really good writers can properly convey a complete thought in a short sentence.

Comment: Re:Customer service? (Score 1) 822

I completely understand why airlines do NOT let families on early, because they now charge people extra for those privileges. But if they were trying to maximize efficiency instead of profits, it would definitely make sense to move the families on when fewer people are obstacles on the plane.

If efficiency were your policy, you'd stop applying special rules based on arbitrary distinctions. While deeply engrained in our culture, there's no reason to treat families differently from other people travelling together, who may (or may not) have equally compelling reasons to want to sit in one row.

Airlines have destroyed their own customer friendliness by collectively fighting a price war until the point where they need to make you pay for napkins so they can operate profitably. I personally find it insulting that some arbitrary rules give some people priviledges that other people have to pay for. Do it 100% or don't do it at all.

Comment: Re:Elective surgery on a critical organ (Score 3, Interesting) 526

by Tom (#47526479) Attached to: Laser Eye Surgery, Revisited 10 Years Later

If you must, do the surgery that is reversible - they insert a small piece of plastic that corrects the lens shape.

Do you have a name, link or any other information on this? I'm seriously interested, because I would love to get rid of my glasses (haven't had them for very long, so I'm still getting used and I don't really want to), but even without medical advice I understand that irreversible surgery on an eye is not a good idea.

Comment: Re:well (Score 1) 126

by Tom (#47526443) Attached to: The Psychology of Phishing

Rubbish! If you are starting from scratch you have to lay the foundation.

Which foundation? Boring people for half an hour with stuff they couldn't care less about? I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

therefor the amount of people with genuine concern will never increase.

For all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

It's hard to tell if you were attempting to be condescending with that first sentence.

Not at all. If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with. The problem is that culture is pervasive, so if the culture is different, you cannot change it just for this one thing, you need to tackle the entire corporate culture, and as soon as you start you have enemies, namely everyone currently profiting from the existing culture.

Comment: Re:Not everyone is train-able (Score 1) 126

by Tom (#47525413) Attached to: The Psychology of Phishing

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Not everyone can train people. Almost nobody can train all kinds of people, because they need to be trained differently.

More importantly, not everyone is acceptable as a trainer. Many, especially smart people, don't like being trained by someone they consider to be their inferior.

Comment: Re:well (Score 1) 126

by Tom (#47525375) Attached to: The Psychology of Phishing

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average").

Security awareness training in companies is largely nonsense. Your scenario is different not because of your memo, but because your people realize that something more important than shareholder value is at stake. And I dare to say that your weekly reminders are the secret, not any awareness training. Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up. It doesn't matter if people read it at all, what matters is that they consider it long enough to activate the desired memory of adequate behaviour, which means 2-3 seconds.

And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

Comment: overstate things much? (Score 1) 172

by Shakrai (#47516869) Attached to: Privacy Lawsuit Against Google Rests On Battery Drain Claims

MUCH more importantly, though, ads are draining your BANDWIDTH. It's important, because it's also a simple demonstrable harm. If you pay $30 per month for your internet bandwidth, and the ads use up half of it (conservative estimate)

In which universe do you live where ads on a webpage total up to half of the bandwidth to deliver said webpage?

Because Google purposely don't allow you to block the ads in android (*)

They don't make it easy but they don't make it all that difficult either. Buy a Nexus, Developer Edition, or one of the multitude of carrier branded phones that are rootable. Install one of the multitude of ad blocking apps that are available, AdFree being my personal favorite. Problem solved.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...