I have watched kids testifying before Congress. It is clear that they are completely unaware of the
seriousness of their acts. There is obviously a culture gap. The act of breaking into a computer
system has to have the same social stigma as breaking into a neighbors house. It should not matter
that the neighbor's door is unlocked. The press must learn that the misguided use of a computer is
not more amazing than drunk driving of an automobile.
AT&T Bell Laboratories
Part B: Who is Responsible?
The most comprehensive security procedures, the best written security standing operating procedure
(SOP), and the most sophisticated security hardware and software in the world will amount to nothing,
if computer users are not security conscious.
The National Computer Security Council reports that the number one computer problem is a "lack of
awareness and concern among computer users, which leads to problems of neglect... in general, not
knowing or caring about good computer security practices."
This lack of awareness on the part of users is the cause of most problems. If a user does something
wrong, it is usually ignorance of security procedures and not a willful disregard.
The individual computer user is the most important person in maintaining the security of computer
systems. If this security is to be maintained and effective, each user must develop a "security mind-
set." The properly trained and motivated user is the ultimate countermeasure to the threats facing
If security is to work, it must be accepted by the people who must live with it and enforce it on a day-
to- day basis. Users must be educated so that they understand why security is necessary, what
security measures are used and how they work, and who is responsible for what.
Part C: Required Security Training
AR 380-19 requires that all personnel who manage, design, develop, maintain, or operate a computer
receive security and awareness training consisting of an initial briefing and periodic training.
Part D: Initial Security Training
The first security training which computer users receive is the initial briefing. This briefing should be
given upon arrival at the unit, and should be given before the person begins his assigned duties. A
user should not be allowed to use a computer to process any classified or unclassified-sensitive
information until he has been given this briefing. The initial briefing should be tailored to the