Shostack + Friends Blog Archive


How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.]

Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, I’m fond of the flexibility that computers give me to do all sorts of things, some of them stupid.

I think that we need to do more to make security usable, to set the defaults right, and to reduce the desensitization that so many products engage in.

What’s worse, auditors and consultants love to insist that you train your users about the importance of security. And that means that training material like Ben Rothke’s “Computer Security: 20 Things Every Employee Should Know” may well be useful.

I have a fondness for little books. That it is hard to write concisely is a subject I intend to talk about quite a bit. Rothke’s ’20 Things’ is best understood as a collection of short essays, a page or three in length. Each is easily digested and understood, and the book as a whole is a fine component of an education program until we start creating better products. It is a little book in the very best of ways. In other words, you ought to be buying this book, and its sequels, for a long time to come.