Educating staff about IT security risks and
measures they should take to avoid compromising system integrity
is a critical enterprise activity, according to a senior federal
government security official.
Robert Campbell, Assistant Secretary in the Information
Security Group of the Defence Signals Directorate, told the
Government Technology World conference in Canberra yesterday that
user behaviour is a powerful factor in network security.
Uneducated users are a major source of vulnerability because
the majority of attacks require a user to activate a corrupt
"Most Trojans require people to double-click and unfortunately
we have created an environment where people are happy to
double-click," Campbell said.
But educated users can provide IT managers with early warning
of an attack.
"When they see something they think they shouldn't see, when
they see an e-mail they didn't send, they can actually be one of
our greater allies in terms of protection of the information that
we have a charter to protect".
He said user education was a necessary part of an overall
approach from IT security professionals to mitigate risk rather
than seeking to eliminate it by denying available functionality
to staff or clients.
"It's not about turning to people and saying 'You cannot do
this' because, if you say that, IT security will lose," he
"It's about working with the client community to work out how
we deliver the requirement".
He said there was also a need for IT managers to overcome
complacency about the robustness of standard operating
environments rather than relying mainly on firewalls and other
"It can be difficult to get through a firewall, but once
people are on the inside it's generally soft and gooey and people
can get a lot of information".