I just finished presenting Securing The Human at SANS VA Beach. This is a brand new version of the presentation with a great deal of new content. One of the things I focused on was how organizations invest so much in protecting computers, and yet so little in protecting humans. However if you think about it, this just does not make sense. Humans are just like any other operating system; we store, process and transfer information. Just like any other operating system we have our own unique set of vulnerabilities. For example we are very bad at judging risk. In addition the Internet makes it very difficult for humans to authenticate who is communicating with us. Unfortunately, so little has been done to mitigate the vulnerabilities that we, and not technology, are now the weakest link. The state of human security is currently at the same level Windows 95 and Windows NT was were when they first came out.
However, there is good news. Humans, just like other operating systems, can be patched. We can reduce human vulnerabilities with effective security awareness training. The challenge is developing and implementing an effective program. To be effective we discussed the three key pillars of an awareness program, WHO, WHAT, and HOW. By answering these three questions you will have the foundation for an effective program. Want a copy of the presentation, grab a copy here. Missed the presentation? Come to SANS Network Securing in Las Vegas 19-27 September. Would you like me to come out to your organization and present? Just let me know.