Re: Security Training for Company's Employee

Bruce Schneier wrote in his book:

"Many security awareness programs are considered to be worthless by
security professional, and I'm inclined to agree with that assessment.
In researching the problem, I've discovered that far too many
so-called awareness programs are nothing more than speeches informing
employees of the consequences of illegal activities. The focus is on
employees' misbehaviour and on penalties.

Threatening to to fire people caught stealing secrets is not only a
waste of time, it's counterproductive. It's no wonder that "security"
has such a negative connotation for so many. People learn to fear the
word, and they report incident to the department only as a last resort
- and sometimes only when they believe they are being set up.
.........

Program that focus on penalties do nothing to educate, and that should
be the primary purpose of any awareness program."

Buy the book < http://www.schneier.com/book-sandl.html > for Bruce's
recommendation for creating a Security awareness program.


On 9/19/05, Syn Ack <thin.hack@gmail.com> wrote:
> Hello listmembers,
> I've just began a new job two months ago and I'm currently in charge
> of improving the information security level in our company. As part of
> this process I've been asked to create a InfoSec training for all the
> company employees. I plan to split my training in several classes for
> different kind of audience: general, management, sales, technical,

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.