Remember that humans are the first and last line of defense. If they make a mistake that results in a security incident, it’s not the fault of the design of the IT system, but rather the people who didn’t know the email wasn’t really from their manager. I mean, the industry calls us “human firewalls”, right?
@jerry
By demanding accountability and putting their jobs on the line for clicking wrong, we create a good incentive to learn best practices. After all, who wants to work with people who don't try to be the best at what they do?
@maswan if all that protects your business from a major ransomware attack is John from sales, who has been up for 4 days straight trying to close a deal, not opening an attachment in an email, I am not going to blame John.
@jerry
Yeah, meanwhile in reality telling people to not click on things in the machine where you click on things to get your work done is an awful proposal for an effective security barrier.
I was trying to match your tone, but might have missed by a barn or two.
@jerry
Also, if we can learn anything from safety engineering, assigning blame to people (short of intentional malicious actions) makes it harder to find out what is actually wrong and fixing the system.
@jerry
Yeah. Mature safety fields (chemical aviation, civil engineering, etc) seem to have recognized this, but that insight has been bought by a lot of blood. And even there, it looks like it is a struggle to remember it at times.
Makes for good inspirational reading to see how those fields work when faced with a failure.
Oh, and hopefully IT security can learn with less blood spilled.
@jerry Throwing money at tools is an expensive short term solution to a permanent problem. Employee training is an inexpensive mitigation control with long term payoff. Assuming you don't have high employee turnover anyways.