I'd like to comment on one of your points:

* Training and licensing for all new computer users

In my experience, user education is generally wasted effort. Educating users about security is equivalent to "patching" users. Every time a new type of vulnerability appears, you have to "patch" (educate) your users about the security risks and ways of mitigating these risks. The patching model of addressing security risks is not scalable. The end result sees many patches released but the underlying security problems remain.

Consider this contrived example. A newbie system administrator has root access to a *nix system, and unwittingly runs "rm -rf /" as root. To prevent this we could educate the user about the operating system and the "rm" command, but this still would not prevent them from actually running the command. A better way to prevent this is not to allow this user access to run this command at all by revoking their root access.
I realise this is a contrived example but I believe the point is valid. Wherever possible, do not educate users. Instead, enforce sensible security policy that will prevent inept or malicious users from negatively impacting IT resources. Where it is not possible to mandate security policy, education may help, but it's no substitute for a properly enforced security policy. Our goal as IT security professionals should to be find better security solutions that are secure by design, not to find "better" ways of patching fundamentally flawed designs.

Someone already made the comment, "security needs to become invisible. You, the end-user, shouldn't need to worry about patching your systems, upgrading your anti-virus, etc. This should all be part and parcel of the total cost of owning a computer, and should come pre-installed, invisible, and just plain working." I agree with this idea and I think it applies to both patching and user education.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/394/33410#33410