PaulDotCom mailing list archives
End user education
From: jackadaniel at gmail.com (Jack Daniel)
Date: Sun, 14 Feb 2010 14:17:23 -0500
You've probably all seen Larry's fudsec post at http://fudsec.com/casual-hex-and-the-failure-of-security-awaren (You haven't? Go now, and make sure you read the comments). I think it is a good starting point for a conversation we need to have in InfoSec. I have largely lined up with the dinosaurs like Ranum in my skepticism of the value of user education, but have tried anyway. I almost always come back to Robert Heinlein's quote: ?Never try to teach a pig to sing; it wastes your time and it annoys the pig.? We do get some successes, but at what cost? A more informed look at the education we give end users, and the reasons that they should reject the advice, is found in a paper Cormac Herley delivered last year. I read it when it came out, and keep going back to it. It isn't very long, but it isn't really a light read, either. PDF is at http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf You may notice that this is focused on the home user, not the corporate end user- that is on purpose, there just isn't enough data to extrapolate conclusions with the level of detail he wanted. Cormac has observed that end users in business are rejecting the advice anyway. I do think the numbers have to shift significantly when we factor in the costs of breaches to organizations and the fact that many fraud protections offered to individuals do not apply to businesses. My gut feeling is that rejecting a lot of "security advice" still makes economic sense, at least from the corporate end-user perspective, but the margins are slimmer. There is also the issue of the true cost of breaches; if I have a fraudulent charge on a card I am not out any money *directly*, but we're all paying double-digit interest rates on credit cards when the prime is below a percent, partly to cover fraud expenses- and the price of goods includes an added margin to cover "shrinkage" (theft, loss, fraud, etc.). We are all paying for the fraud, but the true costs are so obfuscated that we don't know what the real numbers are. I'm not sure where we go from here, but I do believe we need to be able to honestly answer the question "is it worth it" before we hand out security advice and education, especially the same stuff we've been saying for years. I think it makes sense to use this information to justify some lockdown of corporate assets; if the users can't be relied on to protect the assets (and arguably shouldn't have to), then we need to secure them before letting people loose to do their jobs. I have exchanged a few emails with Cormac, he has received a pretty good response to the paper and he is certainly a sharp guy. Hey, there's a guest idea for the podcast... (Paul's idol, Steve Gibson, even covered this paper, but of course, didn't speak to Cormac about it). Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com
Current thread:
- End user education Jack Daniel (Feb 14)
- End user education Jody & Jennifer McCluggage (Feb 14)
- End user education Raffi Jamgotchian (Feb 14)
- End user education Jack Daniel (Feb 15)
- End user education d4ncingd4n at gmail.com (Feb 15)
- End user education Jack Daniel (Feb 15)
- End user education Michael Dickey (Feb 15)
- End user education Dancing Dan (Feb 15)
- End user education Jack Daniel (Feb 15)