Scare tactics – A viable weapon in the security war?

End users are frequently criticised as the sources of bad security practice, and it is suggested they might take the issue more seriously if they experienced a breach. An option for enabling this would be for security administrators to deliberately create conditions and situations that provide first-hand demonstrations to targeted users. Such approaches are referred to as scare tactics. It is widely accepted that securing information technology requires much more than just technology-based protection. We can hone the technology as much as we like but not get any benefit if people fail to use it properly. It might seem harsh, but security would be much easier to maintain if users could be taken out of the equation altogether. Feelings sometimes run so high that those working in the field say that security would be much easier to push, and more readily accepted, if you could teach users a lesson every once in a while.