Blog:

Microsoft released their bi-annual Security Intelligence Report. This is a detailed analysis of the current state of malware and infection propagation methods on the Internet. Sources of data include Microsoft's Malicious Software Removal Tool (MSRT), which runs and analyzes over 600 million computers every month. Their key finding? The human is the number one propagation method. Eliminate the human element and you eliminate almost half of system infections (actually if you consider USB drives as part of human propagation is over 70%). Zero-day exploits? Less than 1%. As a result, one of Microsoft's top recommendations is

"Information security awareness and training are critical for any organization's information security strategy

Recently Cormac Herley of Microsoft Research released a whitepaper titled The Rational Rejection of Security Advice by Users. The paper discusses the cost issues of awareness training and education and includes a cost analysis of three awareness topics. He then documents why he feels these areas are not cost effective and questions the value of awareness programs. After reading the document I wanted to share with you some of my own thoughts. On some parts I agree with Mr. Herley, on some parts I disagree and some I feel he is just dead wrong. The biggest difference between Mr. Herley and me