End user education

[jackadaniel at gmail.com (Jack Daniel)]

You've probably all seen Larry's fudsec post at
http://fudsec.com/casual-hex-and-the-failure-of-security-awaren (You
haven't? Go now, and make sure you read the comments).  I think it is
a good starting point for a conversation we need to have in InfoSec.
I have largely lined up with the dinosaurs like Ranum in my skepticism
of the value of user education, but have tried anyway.  I almost
always come back to Robert Heinlein's quote: ?Never try to teach a pig
to sing; it wastes your time and it annoys the pig.?  We do get some
successes, but at what cost?

A more informed look at the education we give end users, and the
reasons that they should reject the advice, is found in a paper Cormac
Herley delivered last year.  I read it when it came out, and keep
going back to it.  It isn't very long, but it isn't really a light
read, either.  PDF is at
http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf

You may notice that this is focused on the home user, not the
corporate end user- that is on purpose, there just isn't enough data
to extrapolate conclusions with the level of detail he wanted.  Cormac
has observed that end users in business are rejecting the advice
anyway.  I do think the numbers have to shift significantly when we
factor in the costs of breaches to organizations and the fact that
many fraud protections offered to individuals do not apply to
businesses.  My gut feeling is that rejecting a lot of "security
advice" still makes economic sense, at least from the corporate
end-user perspective, but the margins are slimmer.

There is also the issue of the true cost of breaches; if I have a
fraudulent charge on a card I am not out any money *directly*, but
we're all paying double-digit interest rates on credit cards when the
prime is below a percent, partly to cover fraud expenses- and the
price of goods includes an added margin to cover "shrinkage" (theft,
loss, fraud, etc.).  We are all paying for the fraud, but the true
costs are so obfuscated that we don't know what the real numbers are.

I'm not sure where we go from here, but I do believe we need to be
able to honestly answer the question "is it worth it" before we hand
out security advice and education, especially the same stuff we've
been saying for years.

I think it makes sense to use this information to justify some
lockdown of corporate assets; if the users can't be relied on to
protect the assets (and arguably shouldn't have to), then we need to
secure them before letting people loose to do their jobs.

I have exchanged a few emails with Cormac, he has received a pretty
good response to the paper and he is certainly a sharp guy.  Hey,
there's a guest idea for the podcast...
(Paul's idol, Steve Gibson, even covered this paper, but of course,
didn't speak to Cormac about it).

Jack


-- 
______________________________________
Jack Daniel, Reluctant CISSP
http://twitter.com/jack_daniel
http://www.linkedin.com/in/jackadaniel
http://blog.uncommonsensesecurity.com