Interesting Bits – May 1st, 2008

May 1, 2008

Happy May day all :) And now for something completely different….okay, not really. Here are today’s interesting bits:

Pragmatic CSO Newsletter #53 | Security Incite: Analysis on Information Security

Richi Jennings: Your Reputation in Peril: Use Outbound Spam Filtering: Stuff ‘n’ nonsense about email, spam, travel, and life in the UK.

Rational Survivability: Poetic Virtual Security

Farfromr00tin: Azureus Web UI XSS

Carnal0wnage Blog: Penetration Testing Scheduling

PortSwigger.net – web application security: Can you hit a moving target?

Coding Horror: The Great Dub-Dub-Dub Debate

Andy, ITGuy: I hack Johnny Long

Random Thoughts from Joel’s World: ISC Podcast Episode 3

spylogic.net – Winlockpwn: More then a Partytrick

Declassified NSA Document Reveals the Secret History of TEMPEST | Threat Level from Wired.com

Have a great day!

Kevin


Influencing our user community….

May 1, 2008

Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.

I left the following comment and now am going to reuse it as a post :)

Mike,

I have been reading the book “Influencer: The Power to Change Anything” which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as “Make the Undesirable Desirable.”

If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.

So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I’m not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages :), but we do need to find ways to instill awareness into our user communities that is much more personal than “read this policy and sign this paper.”

Kevin Riggins


Follow

Get every new post delivered to your Inbox.