Cultivating an Atmosphere of Proactive Computer Security to Mitigate Limited End-User Awareness

It is becoming increasingly important that employees are taken through a more rigorous security-awareness training programme, in order to protect their personal computer and the networks behind it and to ‘protect them from themselves’. Virus and spam writers have begun to try to fool employees with ‘social engineering’ techniques, which prey on an employee’s willingness to believe in an email sender-name or inquisitiveness stirred by the email subject title. The purpose of this case study paper is to demonstrate that, no matter how complex computer security systems are, effort should be concentrated and focused on employees to improve their security awareness. Each employee needs to become a ‘Security Deputy’ to the company’s computer security staff and he or she needs to take some responsibility for preventing security breaches – whether inside the workplace or not. In this paper we investigate whether it is possible to remove the ability of users to compromise computer security. As it is easy to unwittingly spread a virus, or open security vulnerabilities, should users be held responsible for their actions? Such actions might damage a company’s systems perhaps even more than malicious employees, through simple ignorance of security issues. Later in this work we explore the options available to increase the security awareness to a higher level, including automating security policy enforcement that will be examined as a method of removing the ‘human element’.