Nov 09 2006
By Kurt Seifried (kurt@seifried.org)
Just so we’re clear I’m using the word work in this context (from Dictionary.com):
19. to act or operate effectively: The pump will not work. The plan works.
In this context I think it’s quite clear that user education will never work. Of course saying this is tantamount to heresy for many people, but we also used to think the world was flat.
There are several simple and effective arguments against user education; they are:
Users will make a mistake sooner or later
Relying on users to spot and deal with security threats is a losing proposition. They will slip up sooner or later. It may be something as simple as accidentally clicking on a link in an email, or clicking on a link that looks legitimate. A perfect example of this is from a recent news story:
Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read “Urgent – employment issue,” and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information.
And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site. [1]
The number, type and sophistication of scams will continue to increase. Personalized emails targeted at specific classes of users (i.e. at a company) or even at a single user, sometimes using custom viruses and malware will become more common. Is it possible to educate the average user enough to withstand these attacks? I doubt it.
Users really don’t care
Honestly, if you think your users care as much about your security as you do, you either have an amazing security awareness and training program, or you’re deluding yourself. Unless users are at some personal risk of loss, and this loss occurs it is unlikely they will ever care. Some sites have tried the carrot and stick method, for example threatening to fire employees that violate security policy, or giving away rewards to users that uphold security policies. The effectiveness of these methods is largely unknown, however I suspect after sometime the efficacy of them would decline.
Efficiency
One of the weaker arguments, but still a valid one is that of efficiency. Imagine a computer network, with let’s say 100 users. These 100 users have 100 computers they use to read email, browse the web, write documents and so on. Supporting them are 10 servers, email, application, proxies and so on. Training 100 users with even a minimal security education is going to take several hours, plus several hours a year in updating them on the latest attacks and so on. That’s several hundred hours of lost productivity, a not insignificant cost. Alternatively you can deploy security software on the client machines and/or servers and lock them down tightly. Plus you don’t have to worry about users mucking about with settings or clicking on things they shouldn’t.
And finally:
Based on results: it’s obviously not working
Look, if user education worked, we wouldn’t be in such a mess (although I suppose things could be worse, but I can’t imagine it getting that much worse!). Let’s figure out what works and use it.
So based on all this do I think user education will ever work? Not really. Do I think we should continue to try and educate users? To some degree yes, I think we should continue educating users, but I don’t think we should rely on it. Threats will continue to evolve, actions that were safe in years past (like opening up a graphics file or plugging an iPod into your computer) are no longer safe, making it hard to educate users as to what is safe and what isn’t. On the other hand if we create a safe computing environment where user mistakes have no real impact, I think we could all sleep better at night.
[1]http://www.networkworld.com/news/2006/110106-spam-spear-phishing.html
http://forbes.bitpipe.com/detail/RES/1153824242_749.html
http://blogs.zdnet.com/Spyware/?p=855
http://www.useit.com/alertbox/20041025.html
Related posts:
Posted by Kurt.Seifried on Thursday, November 9th, 2006, at 8:00 am, and filed under Articles, That Old Problem.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
ricst | 09-Nov-06 at 10:24 pm | Permalink
I guess education didn’t work with the author of this article ;)
But it certainly does work whenever students/employees see a clear, personal benefit to learning the material, and the presentation is at a level they can understand. Example: If you can train someone how to reduce the chance of their system getting hacked by malware, they can readily appreciate the benefit of not having to go a few days without their system while it’s being repaired. Everyone listens to WII-FM (What’s in it for me?), and as long as security education addresses that question, almost everyone will at least pay attention, if not actually learn something useful.
LonerVamp | 19-Mar-07 at 6:34 am | Permalink
That Dekalb example is a pretty extreme one, and ingenius at that. Even I would blink a few times and really investigate that link and email as opposed to knee-jerk delete.
But I hear your point and I do agree. User education alone won’t save us any more than it has saved us against pretty much any other “security” “crime” in our country (teen pregnancy, drug use, etc). It helps, especially when people are receptive, but we can’t assume everyone will be receptive.
At least with technology we have some absolutes, or as close as we can get to them.
Then again, we get down to how far can we take technology before users are no longer using computer systems but rather punchboards that do their 3 tasks and that’s it?