PaulDotCom mailing list archives
End user education
From: jackadaniel at gmail.com (Jack Daniel)
Date: Mon, 15 Feb 2010 12:22:48 -0500
I need to craft a longer answer, but I will say the results of user education programs are very dependent on the end user being taught. I have had much better luck with some groups than others. The car business. that is definitely a "teaching pigs to sing" experience. Thanks for the insights Raffi and Jody. I think we'll be hearing more about this topic ;) Jack On Sun, Feb 14, 2010 at 9:17 PM, Raffi Jamgotchian <raffi at flossyourmind.com> wrote:
Jack, I used to feel the same way that you did only a few years ago. ?I think it was particularly because our security program from the larger corporation I came from was ineffective. The problem with giving up on the end-user is that you end up with spending too much time and money on tools. I know those things are not necessarily items that are exclusive of each other but hear me out. When I was asked to be CTO of a small investment firm startup (after I left larger investment firm noted above), I agreed to every security startup that I met that I would put their product into my environment at no or low cost in return for feedback to them and them allowing to use our company name in their marketing. ?Besides finding myself becoming somewhat of a tech whore (sorry if that offends), I found that I was spending too much time overcomplicating the environment which led to other issues. Both of those left a bad taste in my mouth so I made a conscious switch. Since then, I've moved into a consulting role with the same firm as well as a few other small investment and non-investment firms. ?I've found that by spending one on one time about the consequences in addition to pragmatic controls is the best defense we have today. Small business typically don't have the resources to spend oodles of money on tools and people so they have to do, as Mick said at ShmooCon, "secure enough." The church I go to has a prototypical very conservative Armenian priest. His sermons are super long and are said in two languages (Armenian and English). ?When he wants to teach or preach to a point, he says the same thing three different ways, and then again in both languages. Now someone that understands both languages got the same lesson 6 times. ?Guess what, it eventually sinks in. ?Although we like to treat employees like adults, and we expect them to behave that way, the truth is, that most adults (like Kindergarteners) need repetition in different ways to properly learn. ?As security practitioners (and I'll speak to the small business market since that's what I focus on now a days) we need to be equal parts technologists to minimize the breakage when things happen but also teach the business consequences of the actions people make. ?If you work the consequences into the conversations in different ways repetitiously, it does eventually sink in, but it doesn't happen overnight. Thanks for sending those links over. I'm always interested in seeing what others feel about this since my position is an evolving one. -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jack Daniel Sent: Sunday, February 14, 2010 2:17 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] End user education You've probably all seen Larry's fudsec post at http://fudsec.com/casual-hex-and-the-failure-of-security-awaren (You haven't? Go now, and make sure you read the comments). ?I think it is a good starting point for a conversation we need to have in InfoSec. I have largely lined up with the dinosaurs like Ranum in my skepticism of the value of user education, but have tried anyway. ?I almost always come back to Robert Heinlein's quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig." ?We do get some successes, but at what cost? A more informed look at the education we give end users, and the reasons that they should reject the advice, is found in a paper Cormac Herley delivered last year. ?I read it when it came out, and keep going back to it. It isn't very long, but it isn't really a light read, either. ?PDF is at http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf You may notice that this is focused on the home user, not the corporate end user- that is on purpose, there just isn't enough data to extrapolate conclusions with the level of detail he wanted. ?Cormac has observed that end users in business are rejecting the advice anyway. ?I do think the numbers have to shift significantly when we factor in the costs of breaches to organizations and the fact that many fraud protections offered to individuals do not apply to businesses. ?My gut feeling is that rejecting a lot of "security advice" still makes economic sense, at least from the corporate end-user perspective, but the margins are slimmer. There is also the issue of the true cost of breaches; if I have a fraudulent charge on a card I am not out any money *directly*, but we're all paying double-digit interest rates on credit cards when the prime is below a percent, partly to cover fraud expenses- and the price of goods includes an added margin to cover "shrinkage" (theft, loss, fraud, etc.). ?We are all paying for the fraud, but the true costs are so obfuscated that we don't know what the real numbers are. I'm not sure where we go from here, but I do believe we need to be able to honestly answer the question "is it worth it" before we hand out security advice and education, especially the same stuff we've been saying for years. I think it makes sense to use this information to justify some lockdown of corporate assets; if the users can't be relied on to protect the assets (and arguably shouldn't have to), then we need to secure them before letting people loose to do their jobs. I have exchanged a few emails with Cormac, he has received a pretty good response to the paper and he is certainly a sharp guy. ?Hey, there's a guest idea for the podcast... (Paul's idol, Steve Gibson, even covered this paper, but of course, didn't speak to Cormac about it). Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com
Current thread:
- End user education Jack Daniel (Feb 14)
- End user education Jody & Jennifer McCluggage (Feb 14)
- End user education Raffi Jamgotchian (Feb 14)
- End user education Jack Daniel (Feb 15)
- End user education d4ncingd4n at gmail.com (Feb 15)
- End user education Jack Daniel (Feb 15)
- End user education Michael Dickey (Feb 15)
- End user education Dancing Dan (Feb 15)
- End user education Jack Daniel (Feb 15)