So what about user education on security?

So what about user education on security?

Summary: CNET's Joris Evers writes about one security expert who says education users on computer security in the enterprise setting is "pointless".  Doctoral candidate Stefan Gorling, speaking at the Virus Bulletin Conference, said:"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said.

SHARE:
TOPICS: Security
12

CNET's Joris Evers writes about one security expert who says education users on computer security in the enterprise setting is "pointless".  Doctoral candidate Stefan Gorling, speaking at the Virus Bulletin Conference, said:

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal.

It can't work if it interferes."

Some of attendees agreed while others vehemently disagreed.

The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."

I agree with Cooper.  I understand trying to educate some users is like talking to the wall, but that does not mean we shouldn't try. I do know, from working with home users on my SpywareWarrior forum, where volunteers help users get free of malware, that some will probably never change their online behaviors, even when confronted with proof that their online carelessness is what got them infected. We had one user whose ID had been stolen by a keylogger and password-stealing trojan, and his bank account had been wiped out.  When told that he needed to update his Windows to Service Pack 2 and avoid file sharing, he insisted that he wouldn't change. Eventually we scared him into updating to SP 2, installing a bi-directional firewall, and scanning any downloaded files for malware before opening them. Getting him to update to SP 2 took about 2 months and literally scores of posts, but finally he did it.

There are some interesting points of view in the talkbacks to Evers' article, but the first commenter got it right.

EVERYONE, and I do mean EVERYONE, should be worrying about security. While at large corporations security is the primary concern of IT all users should be educated about it and be concerned about it.

At my forum, when we have repeat users, coming back for help a second or third time, I feel that we failed to properly educate them. It becomes frustrating at times, but we must keep working at educating users. To not do so is pure foolishness and inexcusable in my opinion.

 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Question ...

    Nice article, but how many users have experience with installing software on a computer (I don't count installing games as installing software)and use the appropriate settings for a max security?

    The answer as I see it: not many... And that's even made worse when you take into consideration that a large PC seller, such as Dell, IBM or any other company, is delivering PC's with an OS installed at the lowest basic level which is possible and with about the same level of security.

    or do you have another idea about it?
    Arnout Groen
    • You're probably right

      I don't disagree with what you said at all. Many people don't have experience installing software or don't how set up security on their machine. There will always be people who don't care enough to learn, until their machine becomes trashed with malware, and some don't even learn then. But there are people who want to learn. Both types need education. Sometimes I think people should have to pass a test before they can use a computer, something like getting a drivers license before they can legally drive a car.
      Suzi_z
  • Not just attitudes.

    People whose profession is defeating security are going to have a good success rate. Test enough people in enough ways and even someone responsible is going to be fooled.

    I remember an article about someone testing security who sent a malware attachment labeled Pending Layoffs. The impulse to open that attachment quickly could easily overcome longstanding caution.

    So beyond users with poor attitudes toward security, which would be bad enough, there is also a long history of successful fraud which proves that people will be able to fool other people.

    Your efforts to educate are worthwhile. But would even widespread and successful education substantially reduce infections? Unlikely.
    Just like fixing flaws in software, education furthers the evolution of effective social engineering.
    Anton Philidor
  • Who's responsible for secure systems?

    Blaming users for vulnerabilities of wretchedly designed, written and maintained systems has a long and colorful past.

    Around 1986, when I was an idealistic young programmer, my hard-drive trashed the backup tape then self-destructed one memorable afternoon, all in a period of a couple of minutes. I almost lost my job over that -- someone had to be to blame. It was a seminal moment for me as I realized just how precarious this technology was.

    I think it is sheer madness to blame users for not adequately dealing with a technology so perverse and ill-designed that 14-year-olds in Kirkutsk can sink an entire company half way around the world. In my experience, those much-despised users are often several degrees of magnitude more intelligent than the IT staff -- whose job it surely is to keep things safe and running, not berate users for not doing their job for them.
    kentfx_z
    • Hmmm...

      I would add, that users in a corp. environment shouldn't even be allowed to install anything, have registry access, run programs not assigned to them, etc to begin with. If they do, then something is really wrong with the IT dept. in that company. Then again, sometimes I also think this corp. reliance on IE for both internal and external communications over the internet and intranets is a wee bit insane as well.

      IE should be for the intranet, some other locked-down browser for the Internet.

      As far as berating users go, I think they very well should be berated for violating the acceptable use policies of their place of employment. Let's face it, violating the policy is one of the only ways an end-user is going to splatter the corp. network with spyware and viruses even if the firewalls, etc are setup properly.

      I remember working for IBM, and if you didn't have clearance for higher privileges, you didn't even get access to a Floppy, CD or USB drive, let alone anything outside of Outlook and whatever programs were served up to you from the server or assigned to you locally. You want access to local storage space? Not unless you have clearance to access it in the program you are trying to access it from. You want access to the Internet? Not unless you have clearance, and even then, only to sites on their whitelists. Webmail was out of the question of course :D

      Running Windows was interesting there...you had Office, Outlook, Lotus, etc, but you had to save to a network storage space unless you had permissions assigned to you to store locally. There was no My Computer, etc on the desktop, there was no Start in the bottom left corner, no icon notification tray, etc. Only the clock and the rest of the taskbar down there so you could swap open apps.

      You couldn't use Ctrl+Alt+Del, etc. The only programs you could use, were what were kept as shortcuts on your desktop, and even those you couldn't edit, as right-clicking anywhere on the desktop was disabled, it did however work within Lotus, etc.

      Once I gained higher security clearances, alot of that annoying nonsense vanished as if by magic... (I was a computer OP working with mainframes, print servers, and tape drives, had access to two desktops and an AS/400 as well...oh the joy).

      So I am just saying, not giving the end-user a chance to screw anything up to begin with goes along way towards prevention. Education is all fine and dandy, as long as they get educated while they are still on low-level access lockdown. It's far too late to educate them after they are used to doing semi-questionable things with higher level privileges.

      Then again, we also need to face the facts that some people should just never be allowed to get near a computer.
      thejynxed@...
      • Hmmm...

        [i]I would add, that users in a corp. environment shouldn't even be allowed to install anything, have registry access, run programs not assigned to them, etc to begin with.[/i]

        Does that mean that end-(l)users should never install "critical" patches or update the anti-malware signature files, leaving them vulnerable and open to attacks? Should they be denied access to antivirus and spyware scanners that can help keep systems clean?

        That might sound a bit severe, but some IT departments are just that restrictive. Hopefully those types are few and far between, and most should allow those OS and antimal updates along with low-clearance user access to the scanners/cleaners.

        As for keeping the "power lusers" away form computers, that should be mandatory for all working in IT or management.
        Mr. Roboto
        • patches and other things

          Hmmm... again.

          Mr. Roboto wrote that
          "Does that mean that end-(l)users should never install "critical" patches or update the anti-malware signature files, leaving them vulnerable and open to attacks? Should they be denied access to antivirus and spyware scanners that can help keep systems clean?

          That might sound a bit severe, but some IT departments are just that restrictive. Hopefully those types are few and far between, and most should allow those OS and antimal updates along with low-clearance user access to the scanners/cleaners."
          According my experience with corporate PCs and local networks since 1987, the patching the operating systems and other softwares of their workstations is usually forbidden to the normal endusers. This task is done (locally or remotely, mostly using some scripting or other automatisms) by the much more experienced IT staff, who have the needed knowledge and resources.

          The last sentence is in this text: 'As for keeping the "power lusers" away form computers, that should be mandatory for all working in IT or management.' - I totally agree!
          tallsoft@...
          • Product opportunity?

            Perhaps what's needed is an OS with some sort of points system built-in. If you screw up, privilege level is reduced. Do it often enough, and IT staff have to spoon-feed everything. :)

            If you perform certain security-oriented tasks properly, your priviledge level increases. Do it often enough and you enter the inner sanctum of being rated as a security "top dog". Lesser mortals then have to bow to your superior talent. :)

            Peer pressure would tend to make everyone more security conscious.
            Ikester_z
  • Maybe (l)user (re)education should start at home.

    It's hard to believe that some people still don't have Internet access at home when even basic DSL prices have dropped to dialup levels, but there are such laggards. Their only access is what they have at work, so they assume that whatever precautions are needed would be taken by the IT department.

    If they had access from home, they would understand the dangers of net surfing and would take precautions... we hope. If they knew the dangers of surfing at home, they would take better care at work.

    At least, we hope so...
    Mr. Roboto
  • Education works

    Yes we have all had those users who are their own worst enemy. I had a lady client who would periodically surf theough her whole drive and try every file that had a com or exe extension and would unfortunately find format. It's amazing what format c: can do in the hands of a misguided user.
    But it was her computer and even though I knew better there was no way i could ethically alter her machine so she couldn't do that without her permission so she did this 4 times over 2 years before finally learning what format does and not to play with it.
    In the mean time here we all sit again blaming users for the problems they have with virii and malware. We also seem to like to blame MS and Sun and IBM and AVI for their part in it but are they really to blame? Lets face it guys the people we should be blaming and the ones we should really be doing something about is the guys writing the malware and not the users who just want to get their job done. Safety in surfing should not be the thing people are concerned about. When grandma wants to see her granddaughters latest pictures she shouldn't be worried about keyloggers and malware and we have let her down by making her have too.
    We have to find a way to make it that there's no money in malware and then and only then will it go away and if we spent half as much time working on that as we do complaining about MS or users we could have it fixed by now.
    sysop-dr
  • One man's $0.02

    Here's a website that teaches people how to fortify Windows XP or 2000 by locking key system areas. I wouldn't venture to say this method is for everyone, but it works. This solution brought my suffering to a screeching halt: http://invincible-windows.blogspot.com/
    santuccie
  • RE: So what about user education on security?

    http://insurancefraudnews.blogspot.com
    dd_forums