Blog: SANS Securing The Human: Category - Papers / Articles

Blog: SANS Securing The Human:

What Topics do You Want OUCH! To Cover Next Year?

Folks, we are already planning the OUCH! security awareness newsletter for next year, 2013. We need your help deciding which security topics we should cover. What security challenges do you want to learn more about, how can we best help you, your family or your co-workers? Email us at with your suggestions on what topics we should cover, or how we can make OUCH! a better resource for you. Help make a difference and make the world a bit more secure.

Microsoft Confirms Human is #1 Malware Propagation Method

Microsoft released their bi-annual Security Intelligence Report. This is a detailed analysis of the current state of malware and infection propagation methods on the Internet. Sources of data include Microsoft's Malicious Software Removal Tool (MSRT), which runs and analyzes over 600 million computers every month. Their key finding? The human is the number one propagation method. Eliminate the human element and you eliminate almost half of system infections (actually if you consider USB drives as part of human propagation is over 70%). Zero-day exploits? Less than 1%. As a result, one of Microsoft's top recommendations is

"Information security awareness and training are critical for any organization's information security strategy


The Rational Rejection of Security Advice - A Rebuttal

Recently Cormac Herley of Microsoft Research released a whitepaper titled The Rational Rejection of Security Advice by Users. The paper discusses the cost issues of awareness training and education and includes a cost analysis of three awareness topics. He then documents why he feels these areas are not cost effective and questions the value of awareness programs. After reading the document I wanted to share with you some of my own thoughts. On some parts I agree with Mr. Herley, on some parts I disagree and some I feel he is just dead wrong. The biggest difference between Mr. Herley and me