Is Our Users Learning?
The April 2006 issue of Information Security magazine has a face-off between Marcus Ranum and Bruce Schneier (free subscription required). I love to read both of them, and it’s even more fun to get some Point-Counterpoint action. (“Bruce, you ignorant slut ...”)
I’m guessing from their arguments here, about how to handle users’ failure to learn, that Marcus is politically to the right of Bruce. You can see the classic “let them learn from their own mistakes” contrasting with the “let’s blame the business” position. (Now, don’t try to draw any inferences about my own leanings from how I describe these; I’ve got a Kinky Friedman bumper sticker on my car.)
Here’s Marcus:
From where I sit, it appears that the most effective tools for teaching users about security are pain and humiliation. In fact, they seem to be the only effective tools for teaching about security. I’ve noticed, for example, that there is nothing that gets people to take identity theft seriously like a $15,000 credit-card bill. Having to reload Windows every three months is an effective lesson about why viruses are good to avoid. Seeing stock options plummet because the customer database is on a public FTP site gets even the most reluctant IT manager’s attention. Should we stop spending time trying to educate people and spend our time pointing and giggling instead?
And here’s Bruce:
The real problem is that computers don’t work well. The industry has convinced everyone that people need a computer to survive, and at the same time it’s made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I’m likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there’s no point trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if something goes wrong.
Punishment isn’t something you do instead of education; it’s a form of education—a very primal form of education best suited to children and animals (and experts aren’t so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
To which I say: it’s a floor wax AND a dessert topping! Yes, we need to put in better safety measures to save users from themselves, but until that happens, whatcha gonna do? What happens between the first strikes of litigation and the final rollout of the New Improved Crash Helmet? You still need to teach people which things not to do today. We can’t slack off on user awareness training; we just have to do it better.
Marcus has the right idea in making it a personal issue for the user; that sort of lesson is taken more to heart. That’s why I provide classes on how to secure your home computer and how to prevent identity theft. The employees of my organization are more interested in protecting their own resources, but the basic principles are the same: if they learn better practices at home, that’ll translate into better practices at work. And besides, remember those endpoints? It can only improve corporate network security if the users are accessing it remotely from better secured boxes.
Still, there are some lessons that people just can’t, or won’t, learn until they actually do a face-plant. America’s Funniest Home Videos is chock full of examples of people who still don’t quite grasp the laws of physics, and how long have THOSE been around? We need to get better with built-in security to keep those kinds of people from doing the worst things: we need better fences, unmissable warning signs, air bags, and other safety locks. We need to be able to contain the damage better. But we also need to get stricter about the idiots who do the technological equivalent of setting off fireworks in the middle of a drought area. And we need to be ready to pick up missing fingers in the field. Computers and firecrackers are both too user-friendly and too powerful.
Posted by shrdlu on Wednesday, August 23, 2006
(1) Comments • Permalink •
