Outside the business parking lot where I work there are 4-lane, fairly busy roads. On two of the drives out onto this street are very visible signs prohibiting left turns (i.e. across 3 of the 4 lanes, at a minimum). This is basically a sort of rule. However, there are, every day, people who disobey that sign and make the dangerous, inconsiderate turn left across all lanes, inconveniencing people behind them, drivers on the roads, and setting themselves up for an accident that likely will be billed directly as their fault considering the disregard. Likewise, almost everyone “obeys” speed limit laws by only going, at most, 10mph over the speed limit.

And we expect these same people to obey corporate IT policies? I guess my point is that user education helps those who care, but will do nothing to improve the security practiced by those people who are poor risk evaluators or just plain don’t care. They will take the shortcuts or bend the rules as they see fit. This is why I fall more on the side of technological controls than on user education when it comes to a solid security plan. I want both, but I can never truly rely on all the people…

I know, I’m beating a dead horse, but it’s an example I wanted off my chest and written down in my little journal here. Move along, these are not the droids you are looking for…