Re: I wish my users protected data like this efficient PA
I take the point about asset lists not always being up to date, and I don't think that's the necessary solution to the problem. Yet it's still not the fault of the user concerned. They were, perhaps annoyingly, sticking stubbornly to their security training. In other words, they were doing exactly what we'd want them to do in the case of an attempt at social engineering. Repeatedly shouting at the user to give you information doesn't help prove the point. Asking the user to call back with a trustworthy number does do that. There are other ways to authenticate as internal and/or trustworthy, but none were mentioned. Worse, the user who acted in compliance with their training and was actually able to provide the required information without leaking potentially secure information was penalized in a frankly pretty irresponsible manner.