Provide feedback/information

Since one of the problems seems to be that users are simply unaware of security concerns, it makes sense to make them aware. It is particularly important that users see that security is taken seriously by the organization. One method for increasing awareness is to provide feedback regularly. User education will only be successful if users are motivated to learn more.

• Publish security reports including existing and potential threats. Many organizations try to avoid admitting to intrusions, but by not making users aware they do themselves a disservice because users will continue to underestimate the risks. If users are aware of the losses and potential losses for the organization then their willingness to be careful and their perception of security mechanisms will change for the better [Adams and Sasse, 1999].

• Let users know what information is sensitive and what isn't so they can act accordingly. Classifications on documents such as "confidential" make it easier for users to know what sort of secure behaviour is needed to ensure that documents are safe, and many users are willing to help when they are aware of the sensitivity of a document [Adams and Sasse, 1999].

• Provide detailed feedback during password creation. By explaining what was wrong and why a given password is wrong, users will become more aware of the reasoning behind the rules and have a better sense of the importance of system security [Adams and Sasse, 1999].

• Take password infractions seriously [Adams and Sasse, 1999]. suggests that punishment is not the best option, (See Section4.3 for more on this.) but if nothing is done about security compromises then users get the impression that security doesn't really matter.