CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.8  Education

5.8  Education 1 5.8.2  User Awareness

The organization’s management, systems staff and users should communicate, sharing information about security concerns, and about users’ views of them. Sometimes systems administrators have been known to implement ambitious security policies without regard as to whether or not they were practical in their environment, and if they didn’t listen to feedback from users, they might never know that almost every user resorted to writing down that 12-character, mixed case, consonants-only password that the system automatically assigned them. Similarly, sometimes CEO’s are unaware of the risks their businesses face due to computer security issues. Remember that no one, CEO or lower-level end user, can act on security recommendations unless they’re aware of them, and that that takes communication. Similarly, regular communication goes a long way toward overcoming that “network support doesn’t care how hard they make it for us to get our work done” opinion that can be prevalent among end users.

One school of thought is the carrot and stick approach. The carrot is motivational slogans such as “SEC_RITY is not complete without U”

5.8  Education 1 5.8.2  User Awareness