Is Our Users Learning?
The April 2006 issue of Information Security magazine has a face-off between Marcus Ranum and Bruce Schneier (free subscription required). I love to read both of them, and it’s even more fun to get some Point-Counterpoint action. (“Bruce, you ignorant slut ...”)
I’m guessing from their arguments here, about how to handle users’ failure to learn, that Marcus is politically to the right of Bruce. You can see the classic “let them learn from their own mistakes” contrasting with the “let’s blame the business” position. (Now, don’t try to draw any inferences about my own leanings from how I describe these; I’ve got a Kinky Friedman bumper sticker on my car.)
Here’s Marcus:
From where I sit, it appears that the most effective tools for teaching users about security are pain and humiliation. In fact, they seem to be the only effective tools for teaching about security. I’ve noticed, for example, that there is nothing that gets people to take identity theft seriously like a $15,000 credit-card bill. Having to reload Windows every three months is an effective lesson about why viruses are good to avoid. Seeing stock options plummet because the customer database is on a public FTP site gets even the most reluctant IT manager’s attention. Should we stop spending time trying to educate people and spend our time pointing and giggling instead?
And here’s Bruce:
The real problem is that computers don’t work well. The industry has convinced everyone that people need a computer to survive, and at the same time it’s made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I’m likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there’s no point trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if something goes wrong.
Punishment isn’t something you do instead of education; it’s a form of education—a very primal form of education best suited to children and animals (and experts aren’t so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
To which I say: it’s a floor wax AND a dessert topping! Yes, we need to put in better safety measures to save users from themselves, but until that happens, whatcha gonna do? What happens between the first strikes of litigation and the final rollout of the New Improved Crash Helmet? You still need to teach people which things not to do today. We can’t slack off on user awareness training; we just have to do it better.
Marcus has the right idea in making it a personal issue for the user; that sort of lesson is taken more to heart. That’s why I provide classes on how to secure your home computer and how to prevent identity theft. The employees of my organization are more interested in protecting their own resources, but the basic principles are the same: if they learn better practices at home, that’ll translate into better practices at work. And besides, remember those endpoints? It can only improve corporate network security if the users are accessing it remotely from better secured boxes.
Still, there are some lessons that people just can’t, or won’t, learn until they actually do a face-plant. America’s Funniest Home Videos is chock full of examples of people who still don’t quite grasp the laws of physics, and how long have THOSE been around? We need to get better with built-in security to keep those kinds of people from doing the worst things: we need better fences, unmissable warning signs, air bags, and other safety locks. We need to be able to contain the damage better. But we also need to get stricter about the idiots who do the technological equivalent of setting off fireworks in the middle of a drought area. And we need to be ready to pick up missing fingers in the field. Computers and firecrackers are both too user-friendly and too powerful.
Wow, that’s a nice piece in Information Security. I may not always agree with Marcus or Bruce, but I truly admire their authority, their way of making points, and, most notably, their passion. It was with great excitement to read them both in that piece.
Bruce hit some points I’ve concluded myself. 1) The “generational” part of the problem. I agree with the eventual technical aptitude of users increasing, although this will not itself necessarily increase security. 2) Technology moves too fast. By the time even experts get up to speed with some new technology, it is almost too late. 3) Computers need to be made easy, but secure for dumb users. 4) Nowadays, only experts can maintain them, even at home.
“Pain and humiliation” can be an effective educational tool, but it might have the extreme effect of turning people away from computers. Or if computers are necessary, they may just throw their hands up, reformat, fix the credit report, and otherwise give up on the battle. In the corporate world, managers may harbor disdain for IT due to it. I think it is necessary, but like Bruce says, it is primitive.
In a way, though, Bruce’s approach is humiliating and punishing companies economically… (then again, as economic entities, they tend to only listen to economics…)
User education still needs to happen, and I think it is awesome that you have classes on home security. You’re exactly right, they are still endpoints and they are assets to the company. Identity theft at home or aversion to technology at home can carry over to the professional zone, let alone VPN access directly allowing malware through.
What is truly scary to me is security is not just lacking in one space. It is everywhere in technology. From spyware in applications installed, to application overflows and insecurities, to sniffable, spoofable, and abusable protocols on the wire, to leaked data on p2p networks, to information logged in places it shouldn’t be, to web app coding issues, to physically stolen data…it is mind-boggling right now exactly all the pieces that have to be cleaned up and improved.
The common thread here would be users. There are still users and there are still people behind the creation of these things. And educating them both on security is a necessity.
If I had more of a financial cushion, I would start up something similar to Geek Squad, but instead of troubleshooting drivers, printers, and installations, I would educate users on and/or implement home computer security.
(I’m sitting here editing my post, and I have to say, the more I think about it, the more I side with Marcus’ position, even if I didn’t at first. How many people invest in home security systems or preventative car maintenance that haven’t first either been the victim of an invasion or costly car breakdown, or at least realized the cost of such…?)