Today as I was walking through the parking garage after work, I was vaguely aware of the loud beeping of a car alarm in the background. I didn't stop. I didn't even turn my head.

As I got into my car, I realized that a few years ago when a car alarm went off, everyone stopped to look. Now, everyone continues on with their business.

And I wonder how effective the car alarm is.

The same reaction has occurred with many security threats. For example, viruses and worms are no longer encountered with horror. When they first started to attack our systems and networks, people panicked at the very thought of them. The first worm made headlines in our daily newspapers, as well as on the evening news. Today, they have become so commonplace that only security types really worry -- and even then we rely on our software and hardware to 'catch' them.

Is this bad?

Complacency can be detrimental to a security program. As people become lax with their security responsibilities, the risk for security breaches becomes higher. It's a direct trade off.

However, getting people to remember their security responsibilities can be a challenge.

One way to do just that is to conduct annual training. The federal government already has this requirement. Annual training should cover the following areas -- at a minimum:

  • Identification and Authentication -- This includes password protection, length of the password, and other computer identification issues;
  • Security Breaches -- Make sure it's decided and well known as to who should be notified and what action should be taken if you suspect that a security breach has occurred;
  • Social Engineering -- Many people do not understand that social engineering is one method of getting around the software/hardware defensives. If someone you do not know well begins to ask lots of questions regarding your work, your boss, your office building... you should be suspicious;
  • Ethics -- Security responsibility requires ethics. You need to feel sure that workers will not attempt to go around the security devices installed, or go probing into areas where they have no business being. Make sure you make these rules clear, and make sure employees know what the consequences will be if they break them.
  • Best Practices -- A short overview of industry best practices always is a good idea.

    Another area of enhancing security is to implement and enforce the security policy for the network/system. If people understand the policy, and know that to break the policy will result in punishment, then they will be more likely to uphold the security policy.

    Strong management is necessary to make a security policy work.