I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile.
Part of the problem is generational. We've seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust and confusion, while the children who grew up with them understand them intuitively.
But while the don't-get-it generation will die off eventually, we won't suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there's no time for any generation to become fluent in anything.
Earlier this year, researchers ran an experiment in London's financial district. Someone stood on a street corner and handed out CDs, saying they were a "special Valentine's Day promotion." Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers. The program was benign -- all it did was alert some computer on the Internet that it was running -- but it could just have easily been malicious. The researchers concluded that users don't care about security. That's simply not true. Users care about security -- they just don't understand it.
I don't see a failure of education; I see a failure of technology. It shouldn't have been possible for those users to run that CD, or for a random program stuffed into a banking computer to "phone home" across the Internet.
The real problem is that computers don't work well. The industry has convinced everyone that people need a computer to survive, and at the same time it's made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I'm likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there's no point in trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if anything goes wrong.
Punishment isn't something you do instead of education; it's a form of education -- a very primal form of education best suited to children and animals (and experts aren't so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
This originally appeared in the April 2006 issue of Information Security Magazine, as the second part of a point/counterpoint with Marcus Ranum. You can read Marcus's essay here, if you are a subscriber. (Subscriptions are free to "qualified" people.)
EDITED TO ADD (9/11): Here's Marcus's half.
Posted on August 22, 2006 at 12:35 PM • 79 Comments