is there a reaction to security warnings

I saw this quote today in some news that hit my rhetorical question button:

The Ministry of National Defense located in Taipei has warned their personnel against cyber attack. Awareness at the user level is more important than ever after a recent discovery of an intelligence leak at the National Defense University.

What would you do differently in your job if you received a warning from your boss or from upper management or the security team to be wary of cyberattacks? What will your own employees do differently? Will they even know what that means or what to even begin to do?

I can imagine my mom getting that notice where she works and basically have zero change in behavior because it really means nothing to her (works in a hospital). Should she stop more strangers in the hallways and challenge for ID? Should she refrain from email communication? If the computer crashes unexpectedly, should she more quickly call up IT to report it and investigate?

Does your security training equip employees to be able to process and respond to such a warning? Maybe the company shouldn’t even give these warnings and instead only raise the warning level of technical/security staff? Did you send out a warning to employees the other week to be on the lookout for any ANI/cursor files sent via email or posted on websites? Does that really change anyone’s behavior or do they just talk to their immediate peers about how stupid that email was for 5 minutes?

2 thoughts on “is there a reaction to security warnings

  1. honestly, i wouldn’t expect different behaviour as a result of either of those 2 example warnings… there’s nothing actionable in either of them…
    imagine telling people to be on the lookout for someone named timmy mcgee but not telling them what he looks like or how to recognize him…
    if one wants to get people to change their behaviour under a particular set of conditions, one has to explicitly state what the preferred behaviour is and how to recognize when those conditions have been met…

  2. In my organization I doubt many of the normal users would 1) read the warning or 2) take the time to scrutinize files for ANI shenanigans.
    I’m not being as pessimistic as I am being honest. Its hard enough to get the IT folks to read the email and arrive at some actionable conclusion. Either the email is too long and no one wants to read it or its too short and is lacking enough detail to be actionable (something Kurt touches on above).
    In my opinion, its our job to relieve our users of as many technical decisions as possible when it comes to security (through controls and filters) and leave them with the decisions like; ‘Should I REALLY download and install this virtual-vegas-slot-machine game?’ or ‘Should I REALLY accept this IM file transfer from someone I don’t know?’ or even better, ‘Should I REALLY put classified material on a laptop?’
    We’re better served when we train our users the difference between good and bad computing habits.

Comments are closed.