On 10/02/12 10:00 AM, Jay Ashworth wrote:
Even lots of*technical* people just don't understand what "a security-
related URL"*is*, and there's almost always no way to teach them.
Freakonomics recently aired a story about the problem of getting Doctors
to follow hand hygiene rules and wash their hands as frequently as they
are supposed to (upon entering and leaving each patient's room) to avoid
spreading disease. One of the biggest problems with changing behavior
with doctors (and with technical people) is that the smarter people are,
the more they chafe at being told they aren't doing things the correct way.
The most effective step they took to counter-act the hand-washing
problems was using a screen-saver on all the public terminals, showing
the consequences of not-washing - an image of a petri dish showing the
bacteria results from a hand-print of a doctor's hand.
http://www.freakonomics.com/2012/01/24/how-to-get-doctors-to-wash-their-hands-visual-edition/
If you wanted to have a similar effect at $workplace, try a similar
visual (e.g. a mockup of 2 screenshots, first clicking on a link in
email then typing in a password on a webpage with a phishing URL (with a
typo)) as the screen saver on all company computers; as the first slide
in all in-house ppt presentations; on the wall at all card-lock entry
doors, etc.
jc
