Security through marketing
Social Engineering isn't just a bad guy tool - it's an important part of the Security Engineer's arsenal.
Consider user reaction to the following statements:
-
We are going to enable strict auditing of all file access, so that we can see exactly what you do when you screw up.
-
We are going to enable strict auditing of all file access on this server, so that when someone else screws up, they can't possibly associate you with the blame.
I get a lot more acceptance with statement 2 than with statement 1.
What about the following different statements:
-
We are going to apply encryption software to your laptop - this will make it slower, and harder to log on to. You will have to remember a second password just to turn your computer on.
-
We are going to apply encryption software to your laptop - that way, if you lose it or it gets stolen, you won't get fired and/or jailed for exposing our customer data to the world.
The first says "I'm going to make your life hell", the second says "I'm going to make your life better". Both describe the same process. Particularly, consider that this policy must apply to Officers of the company, because they carry some of the secretest data around with them all the time, and they're most likely to successfully demand that policy not be applied to them.
By making it clear to the recipient of your message that they will get a benefit, as early as possible, any subsequent down-sides to your message will be better received.
As a measure of the success of this process - and of others planting this sort of message in newsletters and internal web sites - we have not had a single company officer ask for exclusion from the policy of laptop encryption. As a result, our customers' data is very strongly secured, even if a laptop does go missing.