User education and awareness is a very generic term that is often used in business today to refer to the process of
'educating' users on the company's internal computer policy.  This effort often times addresses company policy, best, practices, security, etc.  What I don't see in most of these programs that I have reviewed as part of audits is the 'awareness' portion, and most likely because this takes a bit more effort.  Security professionals for years have been aware that a vulnerability within one of our systems has the potential to become an exposure on a global scale; most users and many system administrators have yet to recognize this new dynamic.  The very statement "we are a mid-size company in America, why would anyone in Asia care about our systems, even if they are vulnerable", is a concern. 

So my question to all IT Managers out there today is "what are we trying to accomplish? with this training effort?"  In the past my goal was to raise the level of awareness for the users so that they can begin to understand the scale of threats that exist on the Internet today. One website that has a great basic summary of things a user can do to improve the overall security of their computer or computers is the IS site at MIT.  This article reflects simple approaches, talking about technical and user practices that will aide tremendously in the overall security effort.

The title of my article today is "User Awareness and Education", as opposed to "User Education and Awareness", because I believe that user awareness is one of the most effective cybersecurity tools in our arsenal.  With awareness usually comes the desire for education, to understand the why. 

As an old friend used to say "This is where we have to engage the gray matter in our brain".

What say you?


tony d0t carothers --gmail