Ira S. Winkler wrote: > > I agree with almost everything that was said by Steve Smith, with the exceptio n > that I do not think you should stress policies to users. You should stress > Procedures, and why the procedures are important. All too often I see securit y > presented as "It is important to protect information, and if you don't you wil l > be fired." > > I prefer to see awareness programs say things like check for access badges and > challenge people that don't belong there, or do not give out your password for > any reason to anyone. This is as opposed to you are required to wear your bad ge > or protecting your password is important. > > It is a fine line, but it makes a difference. Awareness briefings and policie s > tend to say that protecting information is important, without providing > practical examples of how to do it.Absolutely Agreed. I feel also that the wa y you get the point across is imperitive to system security. If people feel like it will be a challenge they will try, plain and simple. Procedures, are more threatning to a potential system intruder.