In my experience almost all corporate entities are very concerned about the maliciousness of the internet and consumed with purchasing the latest shiny security doo-hickey to prevent some bad guy from forcing their way into the private network. It's been a few years now that security professionals have been warning of the 'insider' threat, the malicious internal user hell bent on causing destruction...or even worse doing it unknowingly. Has the management arms of corporate America (and the world for that matter) taken up the banner of viewing just about everyone and everything as a potential vulnerability?

I don't think so, at least not yet.

The ease with which an exploit can be targeted against an end user is ridiculously easy, anyone that can click a link or open an attachment can be exploited. In some cases something as simple as sending a joke in an e-mail can result in the complete compromise of an entire corporate network. If it wasn't easy, then botnets wouldn't exist or would be much less common. Worms wouldn't spread from office to office and computer to computer with the relative ease that they do now. Viruses wouldn't infect millions of systems within hours of their release into the wild.

Why do end users feel entitled to use social networking sites, personal email and banking instant messengers...etc, why does an end user feel like their work network is simply an extension of their own home network?

Never once in the last 10 or so years I've been in 'IT' have I ever walked into a CIO's office and talked with him about locking down not only the outside but also the inside, segregating traffic, stopping users from doing anything except what their jobs require them to do and not had a massive fist fight on my hands. If not from my direct managers, than from every other department head and every other division and every other employee.

You would think that those C-level managers would recognize the importance of stopping not only the outside from getting in, but the inside from getting out. Even at companies where I have worked in the past, whose networks are literally chock full of tens of millions of credit card numbers, social security numbers, mother's maidens and a laundry list of the items that could be found on any black hat's wish list, the response is always the same.

"Billy Joe needs to get to his yahoo mail because he is conducting company business on it"

"Sally Sue needs to go to myspace because I want her to be a happy employee"

"My department needs to stream mp3's from any possible source on the internet they want"

I literally had a director of sales tell me how he couldn't do his job without google desktop, and google messenger and access to any type of web content he saw fit. I had to fight tooth and nail and produce a mountain of evidence on why this should not be allowed. Luckily, I won that fight...for once.

The fact of the matter is end users are quite often stupid, greedy, and uncaring about the results of their actions on a network, *when it isn't their own data*.

That's one thing that I spoke with a friend about once upon a time, what if during a penetration test we decided we'd not only go after the corporate data, but also after end user data.

It's one thing to lose John Doe's and 15 million of his faceless anonymous pals SSN, but what if it's yours? It's one thing to lose John Doe's mothers maiden, home address, checking account number, bank account number, but it's an entirely different scenario if it is yours, the employee.

What would a CIO say if his machine was compromised and you took his credit card numbers?
(well besides you're fired)

Is this the way to make people realize just how it feels to be violated? To illustrate to them that their actions on a network have very serious and far-reaching consequences? Is it just me being an asshole?

I'm not sure if I know the answers to these questions. Or how to best 'show' end users how absolutely important security is and how it is ever users job to enforce it. It's a cliche, but it's so very true, security is everyone's responsibility. Not just some forgotten poor bastards buried in the server room reading millions of lines of log buffer, or getting 500 emails at 3:30 am from a damn misfiring IDP (does this sound bitter?).

I think we're all remiss in our jobs as security 'professionals' if we don't clearly communicate this message, not just to management, but to the users directly.

The only good user, is one with a dead computer :-)