CNET's Joris Evers writes about one security expert who says education users on computer security in the enterprise setting is "pointless". Doctoral candidate Stefan Gorling, speaking at the Virus Bulletin Conference, said:
"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal.
It can't work if it interferes."
Some of attendees agreed while others vehemently disagreed.
The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.
"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."
I agree with Cooper. I understand trying to educate some users is like talking to the wall, but that does not mean we shouldn't try. I do know, from working with home users on my SpywareWarrior forum, where volunteers help users get free of malware, that some will probably never change their online behaviors, even when confronted with proof that their online carelessness is what got them infected. We had one user whose ID had been stolen by a keylogger and password-stealing trojan, and his bank account had been wiped out. When told that he needed to update his Windows to Service Pack 2 and avoid file sharing, he insisted that he wouldn't change. Eventually we scared him into updating to SP 2, installing a bi-directional firewall, and scanning any downloaded files for malware before opening them. Getting him to update to SP 2 took about 2 months and literally scores of posts, but finally he did it.
There are some interesting points of view in the talkbacks to Evers' article, but the first commenter got it right.
EVERYONE, and I do mean EVERYONE, should be worrying about security. While at large corporations security is the primary concern of IT all users should be educated about it and be concerned about it.
At my forum, when we have repeat users, coming back for help a second or third time, I feel that we failed to properly educate them. It becomes frustrating at times, but we must keep working at educating users. To not do so is pure foolishness and inexcusable in my opinion.