What is antivirus protection worth when users try all the tricks they know to see the Loveletter.jpg.vbs picture; why do they double-click on executable files? No matter whether it’s Kournikova, Labor Day greetings cards, or just an “undeliverable message” with “details” attached, many users don’t care.
Home users risk their privacy and may lose the ownership of their machines, but they can’t resist the temptation.
Corporate users are sometimes even less careful, as it’s not their machine and if it’s broken, it’s not their problem. The IT department will fix it.
“If the company sends the mails to my machine, they know what they are doing. Why shouldn’t I click on those mails?” I heard that once from a corporate user–it scared me, because it was that user who was causing an internal outbreak.
While that user enjoyed the weekend, the IT guys tried to regain control of their network. About 15 employees of that company were working the whole weekend, plus external consultants.
That was one of the most expensive double-clicks that company ever had.
Is it that hard to think twice?
Don’t users know enough about risks?
Don’t they know about the consequences of an outbreak?
What have we learned from history?
C’mon, it’s not that hard. 
Next time you receive an unexpected (mail)-delivery, think twice before you let it pass your last line of defense.
October 2nd, 2007 at 7:55 am
Face it, folks - if user education was ever going to work, don’t you think that it would have worked by now?! 97.3% of the human population consists of idiots.
October 2nd, 2007 at 2:08 pm
Dirk that video is genius, what a good laugh for the end of the day. I agree with your post completely. I think users have the same attitude they do with their computers they have in most other areas of life, “It will not happen to me”. And, as you pointed out, they are even worse at work because it is not their problem.
Well, what I preach to my IT customers and business owners is having a strong corporate security policy and end-user education, then it becomes their problem when their job or future raises are at risk!
Michael Rowles
CopiaTECH
October 4th, 2007 at 1:27 am
While it would be nice if people heed this advise for a change, I’m afraid our lusers don’t read this blog
October 4th, 2007 at 6:24 am
I disagree to some extent. When a user gets a package from the mailroom, they assume that someone in the mailroom has taken the time to verify that there’s nothing suspicious.
When a user goes to greet a visitor in the lobby, that visitor (at most companies) has had to go through some screening process at the front desk to be able to get in the building.
Why shouldn’t they expect their email to be any different? In their minds (and they are at least partially correct), its the IT departments’ job to stop unwanted mail and malicious traffic from getting to their desktop.
Until the IT department can say with certainty, “we’ve looked at this and there shouldn’t be any problem”, the user will continue to assume they are safe opening any email that comes in their mailbox.
If they can’t do that, IT is basically saying “you’ve hired us for a job but we don’t have the technology or the ability to do it all. You will need to help us.” I’m sorry, but I don’t help the mailroom determine if i need to get a particular piece of mail. I don’t stop cars coming into the parking lot to check them out, and I don’t think the users shouldn’t be able to trust their IT dept. to come up with an analogous solution that works.
Filter .vbs out of mail. Filter undeliverable messages with non-text attachements. Filter out attachments altogether, come up with a way for users to securely share attachments, or tell the guys at the top to stop complaining when someone clicks on something they shouldn’t. Standardize on an email program that doesn’t allow the user to click on links. Require the software companies to warn users incessantly when they’re about to do something they shouldn’t like click on a link to a .exe file.
Demand accountability from the people who create the technology instead of spending resources trying to train users to do something that isn’t inherently their job.