Point/Counterpoint: User Education

Point: Marcus Ranum / Counterpoint: Bruce Schneier

When I first got started in computer security, I think I spent half of my time trying to educate users. "Don't open attachments from strangers."  "Choose good passwords." "Don't believe everything you read in an e-mail." Security practitioners have shouted themselves hoarse trying to educate users. But has it helped? Obviously, it hasn't: phishing scams are still raking in money, viruses are still spreading, and countless users still use their cat's name as a password for their E-bank account. In fact, it looks like the situation is getting worse rather than better.

The demographics of computing guarantee a constant influx of new, inexperienced users, each one representing a potential finger poised to click "OK" on the button that releases a new Trojan horse into your network. Why are we still bothering? They aren't learning, and they wonít learn, so the payoff for user education appears to be near zero.

While the average userís attitude concerns me, what really scares me is the apparent failure of user education to have a significant impact on the ranks of IT managers. You'd think when each new technology that gets fielded turns out to be a security disaster, they'd learn to ask "What about security?" before they spend a fortune on some new widget with cool blinking lights. It seems that there is no number of presentations, books, or articles that can be served up to IT managers that will get them to pull their heads out of the sand.

From where I sit, it would appear that the most effective tool for teaching users about security is pain and humiliation. In fact, pain and humiliation seem to be the ONLY effective tools for teaching about security. I've noticed, for example, that there is nothing that gets people to take identity theft seriously like a $15,000 credit card bill. Having to reload Windows every three months is an effective lesson about why viruses are good to avoid. Seeing stock options plummet because the customer database is on a public FTP site gets even the most reluctant IT manager's attention. Should we stop spending time trying to educate people, and spend our time pointing and giggling instead?

Rather than pointing and giggling, it looks like we're going to lawyer up. The current trend in legislation -- holding executives and companies liable for security problems -- appears to be gaining momentum. On the corporate front, the pain level is going to increase pretty quickly, but what about the home users? Perhaps, instead of thinking of ways to educate them about security, we need to think of a way of letting them learn from their mistakes in a way that doesn't damage the rest of us.