On Awareness
Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness.
It is very in vogue to say that user education must be eradicated [link to http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm no longer works], will never work and is one of the dumbest ideas in computer security. However, all of the authors miss a vital point, and that is: If users don’t know what they are and are not supposed to do, it is no wonder that they break the rules and make mistakes.
It’s all well and good to believe that technology should protect the user and that argument works well for things like spam and spyware (even if the technology doesn’t), but that just doesn’t fly when it comes to policy based issues like sharing of confidential information or writing quality code. At some point, users need to understand why things need to be done a certain way whether for security, safety or just plain profit. How are they going to get that? Osmosis?
I think even if you use technology to enforce security policy, you need user education. If users don’t understand WHY certain actions aren’t allowed, they’re going to try to circumvent the technology, and they can be fiendishly clever about it. It really helps to take the effort to explain to them why security is important and how they benefit from it, so you aren’t just seen as someone who makes their job difficult.
I think this issue is one that is still widely open (as opposed to something like vulnerability management which is more defined).
The interesting question posed: “What is the line between what can and cannot be reasonably taught that would satisfactorily alter human computing behavior for the better????
See for a brief blog entry:
http://www.bloginfosec.com/?p=97
Ken
http://www.bloginfosec.com/
Well said. I’m all in favour of limiting the capabilities given to users where possible; a lot of security breaches happen because Joe User is just trying to get his job done, so if you give him (for example) an insecure way to transfer files you can’t moan too much when he uses it.
But as you say, there are plenty of security problems that cannot be sensibly mediated by technology, so a good education program is essential. Indeed, user awareness is one of the best value security barriers you can provide, as it is far more flexible than most technical barriers.
Darn, another fashion I was too early for: User education: worse than useless.
Seriously though, the point being made dominates your point: If the tool is unusable then user education isn’t going to fix it. Fix the tool, and then it may be worth thinking about education … or, heck, it might be worth thinking why it is that ones policy still cries out for education.
Policy issues such as sharing confidential information can be responsive to re-engineering. E.g., Lynn Wheeler’s much lauded x9.59 payment system which re-engineered all the payment systems account numbers from “secret” to “non-secret” and thus dealt with the difficulty of securing those numbers.