Exploitable Human Vulnerabilities Department:
Recently I put out a call to subscribers to help me build a taxonomy of human vulnerabilities. ISECOM actually has one, which I’ll be accessing and studying soon. In the mean time, I’ll post some of the responses. For instance, long-timer SubnetD suggests:
What about fear on the part of the end user about being made fun of for not knowing about something. Many users come from environments in which anything less than proficiency with computers gets you labelled a newb and made fun of. So what do they do? I’ll tell you: if they see something suspicious, they keep their mouth shut because they don’t want to be made to feel stupid in front of the almighty IT guy. I’ve seen it happen and heck I’ve even participated in both sides, superior and newb. You and I both know the the end user is your best layer of security, that’s why we talk about educating them. But how do you foster an environment that makes them come forth and participate?
Thank you, SubnetD, for so accurately stating the underlying issue: fostering an environment in which users know when something’s wrong, and are willing to report it.