Frank Hayes writes about making end users of IT more cognizant of security problems they create:

Say that instead of handling security problems invisibly, we made them highly visible to users. Suppose when one of those problem users opened a virus-laden attachment or triggered a firewall reaction or plugged a thumb drive into a USB port, that didn’t just create an entry in a security log. Suppose it instantly shut down network access for the user’s entire workgroup.

Oh, there would be screams. We’d hear them at the help desk almost immediately. And for once, those battered souls would know exactly, word for word, what to say: “It looks like Charlie downloaded a virus, and your group was cut off to protect the rest of the network. We’re working to clear the problem now.”

Well, that works both ways. How about we make support issues that go critical fall back on the mail admins who "solved" spam problems by having flagged email silently quarantined. I'm thinking something like this:

"Sorry Boss (company CEO) - Acme cancelled their contract because IT's spam protection system threw out every message they've sent us for the last month, and they decided that we were completely unresponsive.

What - notifications? No, neither their people nor ours ever got a bounce notice - the mails just disappeared. Talk to Ed in IT"

I think Hayes might want to step back from his "educate the users via pain" theory for a minute, and consider the motes in most IT department's eyes first.

Technorati Tags: IT