On GameSpot: The Sith return to The Old Republic
BNET Business Network:
BNET
TechRepublic
ZDNet
175 TalkBacks

By Joris Evers
Posted on ZDNet News: Oct 12, 2006 5:00:00 PM

MONTREAL--Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users."
--Stefan Gorling, doctoral student, Royal Institute of Technology

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard all the time, he said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.

Gorling found fans and adversaries in the Virus Bulletin crowd. Martin Overton, a U.K.-based security specialist at IBM, agreed with the Swedish doctoral student. Most computer users in business settings just want to focus on work and then go home to spend the money they made, he said.

"It really is a nightmare. User education is a complete waste of time. It is about as much use as nailing jelly to a wall," Overton said. "There is no good trying to teach them what phishing is, what rootkits are, what malware is, etc. They are not interested; they just want to do their job."

Instead, organizations should create simple policies for use of company resources, Overton said. These should include things such as mandatory use of security software and a ban on using computers at work to visit adult Web sites, he said.

IT staffers, on the other hand, do need training. And when they have to come to the rescue of a "click-a-holic" with an infected PC, it's possible under those circumstances that some preventive skills will rub off on the user, Overton said. "A bit like pollination, but without the mess."

Others at the annual conference for antivirus and security professionals advocated user education.

The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."

Microsoft has long been an advocate of user education. Matt Braverman, a program manager for the software giant, advocated the use of specific threat examples to inform users, such as samples of malicious software and e-mail messages that contain Trojan horses.

"If we can look at the most successful tactics that the user is likely to fall victim to, you're more likely to get the message through," Braverman said.

Jill Sitherwood, an information security consultant at a large financial institution, has seen education both fail and succeed. "I have to believe it works," she said. "When we give our awareness presentations, what signs to look for, I have seen a spike in the number of incidents reported by our internal users."

But online consumers are a tougher crowd to get through to.

"We have a special page on our Web site to report security incidents. We had to shut the e-mail box because customers didn’t read (the page) and submitted general customer service queries," Sitherwood said.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 175 Talkback(s)
HOW you teach them can turn them ON or OFF
If the trainer has the attitude that they are wasting their time training their users, it is very apparent to the user. If someone treats a user as if they are a dumb animal, the user is going to pic... (Read the rest)
Posted by: roxanne_z Posted on: 11/08/06 You are currently: a Guest | | Terms of Use
Please tell me I didn't just read that  Shelendrea | 10/12/06
Perhaps but is it practical to expect or even ask for?  Laff | 10/12/06
Of course it's practical...  jasonp@... | 10/12/06
Still not sure here.....  Laff | 10/12/06
Mailman...  sfuse | 10/12/06
Actually, "mailman" is a very insecure career  orangemike | 10/12/06
Train everybody, then layoff IT  MacGeek2121 | 10/12/06
Here's the reality:  John Zern | 10/12/06
times have changed  voska | 10/16/06
Consequences? Ha! Rulebreakers can't be fired; they're management!  orangemike | 10/12/06
Boy that's the truth.  maldain | 10/12/06
Not entirely...  Sysop1984 | 10/16/06
And Management will often say something like don't talk to the people about  slim-01 | 10/13/06
Umm ... fire someone for an inappropriate mouse click? Get serious!  Flagg_z | 10/12/06
Great Idea For Downsizing, Thanks!!!  Media-Ted@... | 10/12/06
How do you do it?  voska | 10/16/06
Uh.. Right..  Wolfie2K3 | 10/13/06
An Interesting Theory  kodakmak | 10/31/06
Make a horse drink - YOU CAN ! -NT  raycote | 10/12/06
NO? But  Media-Ted@... | 10/12/06
Great security exists in great OS  Mikael_z | 10/12/06
Even though I agree with you...  orangemike | 10/12/06
A majority of them just use a word-processor...  Mikael_z | 10/12/06
And there are a good number of macro-viruses in wordprocessors  nix_hed | 10/12/06
So please explain to me...  toadlife | 10/12/06
BULL!  Wolfie2K3 | 10/13/06
But summing up the security problems....  Mikael_z | 10/14/06
Phishing also works via telephone and mail  voska | 10/16/06
OK, You didn't read that...  Media-Ted@... | 10/12/06
You read it and he's right.  Anton Philidor | 10/12/06
Exactly, the user shouldn't be forced to do the OS's job  Mikael_z | 10/12/06
Not just the operating system.  Anton Philidor | 10/12/06
I dont know about the workplace but...  Cayble | 10/12/06
A little knowledge...  Anton Philidor | 10/12/06
I totally agree and thats why...  Cayble | 10/12/06
Not IT, the OS, or mail server's job  Dr_Zinj | 10/13/06
The perimeter can be overrun.  Anton Philidor | 10/13/06
SMB tactics  hammaren@... | 10/13/06
Definition of a Microsoft user :  I'm Ye, the MS SHILL . | 10/12/06
Logical Fallacy  BFD | 10/12/06
No, there is a much better deffinition.  No_Ax_to_Grind | 10/12/06
OS is irrelevant  Zeppo9191 | 10/12/06
SUCKERS keep bashing MS...  fewiii | 10/12/06
Totally missing the point  axarce@... | 10/12/06
Missing you...  Linux User 1 | 10/12/06
Good comeback  axarce@... | 10/12/06
Very unfair comment  Cayble | 10/12/06
Right On.  savatar | 10/15/06
Whatever  westks | 10/15/06
Security expert: Luser education is pointless... DUUUUUUHHHHHHHHHH!  Mr. Roboto | 10/12/06
Just like personal security, users need to pay attention...  Been_Done_Before | 10/12/06
Where he really loses it is...  slopoke | 10/12/06
What ever happened to accountability?  thecoop@... | 10/12/06
Schools only teach 3 R's  Mr_Dave | 10/12/06
Let's hear it for personal responsibility!  sbarman | 10/12/06
the biggest phish: IT smugness  dmennie | 10/12/06
Get with it!  sbarman | 10/12/06
Passwords  numbers987654321 | 10/12/06
IT responsible for bad passwords.  colinmeister | 10/13/06
Changing passwords is good  voska | 10/16/06
What is in it for me?  Marco Parillo | 10/12/06
Don't Care?  optimist134 | 10/12/06
User education  ftucker@... | 10/12/06
Understand the rules...  sbarman | 10/12/06
Not their job  reeder | 10/12/06
Can you READ?  optimist134 | 10/13/06
Interesting...  jskline0@... | 10/12/06
Forget about teaching computer users how to be safe online.  donegan@... | 10/12/06
The sad part is, corporations deplore support. They want 'self-sufficiency'  HypnoToad | 10/13/06
Singing Pigs  Queue | 10/12/06
Singing Pigs  elmerpaul | 10/12/06
Or Lousy Teacher Perhaps?  crayolakidd | 10/12/06
Don't be absurd  lost2ny | 10/12/06
I can not beleave my eys.  krismartin56 | 10/12/06
Beleave  professordnm | 10/12/06
It's like teaching,,,  No_Ax_to_Grind | 10/12/06
And what's wrong with that?  John L. Ries | 10/12/06
So you're saying "If it is broke, don't fix it?"  sbarman | 10/12/06
it's like teaching  jlzimm | 10/12/06
I dont think that was the point  Speeddymon | 10/12/06
Education is never pointless  John L. Ries | 10/12/06
Pointless, until something of value is lost forever.  999ad@... | 10/12/06
Too many ASSumptions  ometecuhtli2001 | 10/12/06
Paternalistic attitude  KarenMcP | 10/12/06
User Education  gsquared | 10/12/06
everyone is right...in some points  axxyutza | 10/12/06
User's Don't Care Because They Aren't Accountable  dacap06@... | 10/12/06
Lusers aren't held accountable because too many of them are management!  orangemike | 10/12/06
Users do care when .....  Dr.C | 10/12/06
I wish I could agree, but . . .  999ad@... | 10/12/06
Can't take away access for some jobs  LuckyCharm | 10/12/06
And even though the  ebrke | 10/13/06
I totally agree (110%)  Carion | 10/12/06
You have several other options open to you...  Linux User 147560 | 10/13/06
User Education  benf_z | 10/12/06
user education  al999 | 10/12/06
Can't rely on Lusers - it really is up to us  mweight@... | 10/12/06
Cant rely on Lusers  benf_z | 10/12/06
There seem to be no network admins worth the air they breath.  Bruizer | 10/13/06
One problem is competent admins arent being hired  Airwolph | 10/14/06
Should require a license to drive a computer  dl@... | 10/12/06
Cntrl+What?  optimist134 | 10/13/06
HOW you teach them can turn them ON or OFF  roxanne_z | 11/08/06
User education is pointless.  GeoPrime | 10/12/06
The first goal is making security relevant  dsusysmgr | 10/12/06
Locks and Keys  mlibrescu4 | 10/12/06
Not True.  GeoPrime | 10/12/06
Just how many of you manage this problem???  pberry26@... | 10/12/06
Isn't it everyone's responsibility?  axarce@... | 10/12/06
some things never change  compmoms@... | 10/12/06
I disagree  kaitech | 10/12/06
Zombies are real  mikiec@... | 10/12/06
Honestly....  Sysop1984 | 10/12/06
Education is pointless? No!  3D0G | 10/12/06
And people should leave their personal security to Police experts . . .  roadbiker | 10/12/06
I'm sure this doesn't happen at no axe's or Mike Cox's Company  DarthRidiculous | 10/12/06
WHat hardware does Cox, LD, and no axe's company use  Airwolph | 10/14/06
I'll pay that!  crayolakidd | 10/12/06
Firefox and plugins  D-cat | 10/14/06
Cost Attribution would work wonders  Njal | 10/12/06
Security is of the utmost importance!  erniem1970@... | 10/12/06
Keep plugging  tech-nut@... | 10/12/06
"The Life Cycle of Software"  interested_amateur@... | 10/12/06
Sounds very M$ If you ask me...  Sysop1984 | 10/12/06
Scary concepts here  crayolakidd | 10/12/06
I actually agree...  D-cat | 10/15/06
There's probably other factors this "expert" has overlooked...  Mr. Roboto | 10/12/06
Important is awareness  subhasisbera@... | 10/12/06
The Larger Issue Here  multanihl | 10/12/06
So what  Someguy2 | 10/12/06
Aside from the main article...  axarce@... | 10/13/06
True  Someguy2 | 10/13/06
Defaulting to Root doesn't help the matter....  Sysop1984 | 10/12/06
A Double-Edged Sword  multanihl | 10/13/06
Automating your position away.  D-cat | 10/14/06
There is no need for Admin access  voska | 10/16/06
There is a real geek attitude to security on these boards  mrjonno | 10/12/06
Unique Issues to IT Support  multanihl | 10/13/06
I agree the customer is a nightmare  mrjonno | 10/13/06
I agree the customer is a nightmare  mrjonno | 10/13/06
ATM PIN  axarce@... | 10/13/06
ATM cards are compromised often  voska | 10/16/06
I don't agree  voska | 10/16/06
Culture Change Required  SikosisZDNet | 10/13/06
User-Proof Passwords?  Paul Barrett | 10/13/06
Lets hear it for learning how to drive a computer  cchamb2 | 10/13/06
Lets hear it for learning how to drive a computer  cchamb2 | 10/13/06
Computers should be Toasters  jpr75_z | 10/13/06
Toaster security  hines1957@... | 10/13/06
Dumbest idea ever  hines1957@... | 10/13/06
Automatic education is the answer and it is available  yoramnis | 10/13/06
If we can teach Koko to sign....  ejhonda | 10/13/06
User education is NOT pointless  jimmy.cury@... | 10/13/06
if your software can't survive a moron.....  case42tlc | 10/13/06
"It's impossibile to make anything foolproof...  D-cat | 10/14/06
Intermed. n advanced user - shut up  JonathanSeer | 10/13/06
These guys are MORONS  Wolfie2K3 | 10/13/06
I do care! as do my friends. Your loosing it! Must be the title?  curlymon@... | 10/13/06
Evolution in Action  dlmeyer@... | 10/13/06
Idiots  MyChangedLife777 | 10/13/06
Didn't read everything, but here's another good analogy  axarce@... | 10/13/06
Bull.  Ginevra | 10/13/06
100% correct  hines1957@... | 10/13/06
Um, sorry, but no.  Ginevra | 10/13/06
A long-term, but also temporary situation  multanihl | 10/13/06
What Planet Is This Guy From?  sevenof9fl | 10/14/06
Outsourcing - you get what you pay for.  D-cat | 10/14/06
Education may be expensive, but stupidity will bankrupt you.  osreinstall | 10/14/06
Security is an IT job?  DonG43 | 10/15/06
Yes.  Anton Philidor | 10/15/06
Enlighten me please.  D-cat | 10/15/06
Using your car analogy  Anton Philidor | 10/15/06
Security is not an IT job  voska | 10/16/06
Transparency  savatar | 10/16/06
Windows needs /var/log/messages (NT)  savatar | 10/16/06

What do you think?

Meet Doc

advertisement
Click Here