“In Information Security, and Risk management, “traditional” approaches are failing:
- Paperwork does not stop attackers.
- Focusing on disciplinary proceedings, policies and restrictions is treating employees like children.
- Quickly IT security becomes a theater of legal disclaimers, useless popup windows, and more paperwork, acted out by uninterested (but formally compliant) employees.
A more efficient approach is needed to make much needed progress. Such an approach should engage employees and uses the employees as an asset. ”
Awareness, Dialog, Automation, Pragmatism, … Security as part of the job Metric.