> -----Original Message----- > From: Brady McClenon [mailto:[EMAIL PROTECTED] > Sent: Monday, January 09, 2006 12:13 PM > To: Derick Anderson; [email protected]; > [email protected] > Subject: RE: New article on SecurityFocus > > "If users could be educated it would have already been done by now" > > This is the attitude that is rampant in the technology sector > that leads > to the ignorant technology user. Those responsible for the education > that believe users can not be educated create a self-fulfilling > prophecy. I've heard so many time that "you can't expect users to > understand that" as an excuse to not even try, that I'd like > to scream.
I think you're taking what I'm saying a little too far. I think there are a couple reasons beyond industry apathy which contributes to uneducated users: 1. It is too expensive. I think it would be great if all the users where I work had even a quarter of my rather limited security knowledge and experience, but try getting your C-level execs to take time out of their schedule to learn about phishing scams and WMF exploits. And I've got a full enough load without adding the preparation (dumbing down material, making it pertinent to other viewpoints, having visual aids, etc.) and delivery of user education to it. 2. Many users aren't interested in being educated. Most don't see how security relates to their job - about the only time they run into it is when they get denied access to something that they need, and it's true in IT just as much as anywhere else. When I raised the minimum password length from 7 characters to 8, I gave a short presentation on pass phrases (and how they are easier to remember) followed by an email with details on how 8-character+ passphrases are far more secure than 7 character passwords. One user responded that it was "overkill." Based on responses I've had since then I'd say less than 25% of our users actually started using pass phrases. 3. Many users can't understand security. Some people simply lack the capacity to understand how computers and networking work at all. Some people just don't have the paranoia it takes to be safe on the Internet. I had one user insist she'd gotten an email from the CIA about illegal websites she'd visited. I explained that it was spam, but she still wanted to print it out so I could read it. I had to say "Just delete it, that's spam" three times before she finally agreed to delete it. 4. Some users refuse to follow the rules. Just as there are plenty of bad drivers who passed driver's ed, there are users who willfully disregard policies or attempt to circumvent software designed to protect them. Since it usually only takes one internal user to infect the network, this point alone seriously dings any benefit to be had from user education. You can't depend on it as a defined layer of security because you don't know where the holes are. In my opinion a cost/benefit analysis of user education just doesn't fly. It's too expensive for the minimal return you'll get. It's not as though you can say, "We've spent $xxx training our users - that means we don't need AV anymore." I'd rather invest time and money adding layers of defense which aren't contingent on user participation. > I've seen secretaries dependent on their typewriters and terrified of > computers learn to the point were they are now dependant on their pc, > and can't function without. Some became so proficient on office > applications, that I later used them as a resource on other users > problems. How often do a mail merge... Wait... Have I ever? Sure if > you teach 10 people at best probably 8-9 will get it, but > that's better > then having not tried at all. > > Very few people are willing to try to educate their users. > This is why > is has been done by now. Expecting user sophistication to grow with malware sophistication as an answer to poorly designed software and systems just doesn't make sense. You can ingrain a few basics into peoples' heads (don't open attachments from people you don't know, don't follow links in emails from people you don't know, don't surf to questionable sites) but after that is where security professionals are supposed to take over. Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
