This article can also be found in the Premium Editorial Download "Information Security magazine: Security survivor all stars explain their worst data breaches."
Download it now to read this article plus other related content.
Point When I first got started in computer security, I spent half of my time trying to educate users. I repeatedly warned them, "Don't open attachments from strangers. Choose good passwords. Don't believe everything you read in an e-mail."
Security practitioners have shouted themselves hoarse trying to educate users. But has it helped? Obviously, no: Phishing scams are still raking in money, viruses are still spreading, and countless users continue to use their cat's name as a password for their online bank account. In fact, it looks like the situation is getting worse rather than better.
The demographics of computing guarantee a constant influx of inexperienced users, each one representing a potential finger poised to click "OK" on the button that releases a Trojan into your network. Why are we still bothering trying to educate them? They aren't learning and they won't learn, so the payoff for user education appears to be near zero.
While the average user's attitude concerns me, what really scares me is the apparent failure of user education to have a significant impact on the ranks of IT managers. You'd think after each new technology that gets fielded turns out to be a security disaster, they'd learn to ask "What about security?" before spending a fortune on some new widget with cool blinking lights. It seems that no amount of presentations, books or articles will get IT managers to pull their heads out of the sand.
From where I sit, it appears that the most effective tools for teaching users about security are pain and humiliation. In fact, they seem to be the only effective tools for teaching about security. I've noticed, for example, that there is nothing that gets people to take identity theft seriously like a $15,000 credit-card bill. Having to reload Windows every three months is an effective lesson about why viruses are good to avoid. Seeing stock options plummet because the customer database is on a public FTP site gets even the most reluctant IT manager's attention. Should we stop spending time trying to educate people and spend our time pointing and giggling instead?
Rather, it looks like we're going to lawyer up. The current trend in legislation--holding executives and companies liable for security problems--appears to be gaining momentum. On the corporate front, the pain level is going to increase pretty quickly, but what about the home users? Perhaps, instead of thinking of ways to educate them about security, we need to think of a way of letting them learn from their mistakes in a way that doesn't damage the rest of us.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his Web site at www.ranum.com.
CounterPoint I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile.
Part of the problem is generational. We've seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust and confusion, while the children who grew up with them understand them intuitively.
But while the don't-get-it generation will die off eventually, we won't suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there's no time for any generation to become fluent in anything.
Earlier this year, researchers ran an experiment in London's financial district. Someone stood on a street corner and handed out CDs, saying they were "a special Valentine's Day promotion." Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers.
The program was benign--all it did was alert some computer on the Internet that it was running--but it could just have easily been malicious. The researchers concluded that users don't care about security. That's simply not true. Users care about security--they just don't understand it.
I don't see a failure of education; I see a failure of technology. It shouldn't have been possible for those users to run that CD, or for a random program stuffed into a banking computer to "phone home" across the Internet.
The real problem is that computers don't work well. The industry has convinced everyone that people need a computer to survive, and at the same time it's made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I'm likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there's no point trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if something goes wrong.
Punishment isn't something you do instead of education; it's a form of education-- a very primal form of education best suited to children and animals (and experts aren't so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. For more information, visit his Web site at www.schneier.com/bf.
Please send your comments on this column to firstname.lastname@example.org
Coming in July: Are security certifications a good idea?
This was first published in April 2006