How People Learn about Computer Security

Interesting research: "Identifying patterns in informal sources of security information," by Emilee Rader and Rick Wash, Journal of Cybersecurity, 1 Dec 2015.

Abstract: Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as "Should I click on this potentially shady link?" or "Should I enter my password into this form?" For these decisions, much knowledge comes from incidental and informal learning. To better understand differences in the security-related information available to users for such learning, we compared three informal sources of computer security information: news articles, web pages containing computer security advice, and stories about the experiences of friends and family. Using a Latent Dirichlet Allocation topic model, we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks. These differences may prevent users from understanding the persistence and frequency of seemingly mundane threats (viruses, phishing), or from associating protective measures with the generalized threats the users are concerned about (hackers). Our findings highlight the potential for sources of informal security education to create patterns in user knowledge that affect their ability to make good security decisions.

Posted on December 10, 2015 at 6:54 AM • 22 Comments


Artur Marek MaciagDecember 10, 2015 8:04 AM

thank you very much for focusing on that aspect. My personal and professional experience are the same as they findings.
I'm as a lot of others IS officers/administrators/analysts involved in hopeless struggle with regular users and external regulations/good practices. All is about education/awareness/training. Nothing new.
After series of interesting discussions among members of Technology Risk and Information Security Wroclaw forum (we are almost all are from Poland, but represents all the market segments), we create the Initiative, which focuses on four fundamentals:
a) human - is user centric -human is the source and main consumer of data
b) information - is free - we use creative commons SA, BY licence
c) conversation -emphasises conversation as main tool for humans interaction
d) safety - highlights the aspect of safety of daily activities and routines

All of them equally impact our culture, which needed to be altering to catch up the modern communication, like 'savoire vivre'.
Initiative rely on existing sources: news, blogs, social media networks, articles, infographics, courses and anything accessible on-line with public and free access.
What we do with that content? We classify it against our taxonomy. Create the "database" -heart of the Initiative - Knowledge Vault.
Based on that KV we create the Knowledge Paths - subsets of articles with common topic, difficulty level, hashtags and give it to the users as "additional resources" - resourceful materials for learning on specific topic.
Some of KV URL-s direct to knowledge about threats, in form of reports or analysis -they are sources of (or for if there is lack of it) intrusion kill chain analysis. Based on that model we create scenario from up to 5 scenes about that threat. Scenes reflect various stages of intrusion kill chain analysis fining, and are used for validation of user knowledge or "feel&sense" of security (or limited trust in most of cases). We do it by describing the scene and asking question with 4 answers - only one is the best one.
If user succeed to defend the company/home/device -will be rewarded with certificate/badge (internal) about relevant Knowledge Path. That element we call Knowledge Path Certification.

In the context of what you can do when you apply the classification to the news stream, possibilities are many. We use following one:
a) knowledge pathes
b) extracting IOC for awareness, certification and monitoring of infrastructure
c) news digest (list of URLs to the original media)
d) security tips communication

All of that is in line with recent framework Cyber Intelligence Tradecraft Project released by Carnegie Mellon University SEI Emerging Technology Center ( This could be viewed as CyberInteligence in the Data Gathering, Functional Analysis and Strategic Analysis functions.

Currently our Initiative is supported by our community and can be reviewed here:
Users ready materials:
Elementary (security 101):
Knowledge Path (example):
Presentation about:

Supporters and researchers materials:

Knowledge Vault: (file) (web)

LinkedIn group:

How anyone is welcome to support our initiative?
a) without any security background- talk about it, consume the media, learn and share you knowledge, comment, contact us if you have idea how to grown the Safety Culture better
b) if you have security background, you can do anything what anyone can, and you can support us with your feedback, validation of our content, approach, media coverage or anything you find useful for increasing the common safety posture of any user
c) if you are security media creator (blogger, article author, foundation or any organization) you can help us with a) and b) or do more: prepare your content to be automated harvested, added and classified with using tags in the rss channel, or any other way you find helpful.

You can contact us by:
a) facebook:
b) google+:
c) linkedIn:
Or me.
Let's change the cyberspace into more safe place.

ChelloveckDecember 10, 2015 9:33 AM

And among those who do receive explicit security training (I'm thinking of corporate cyber security training, at the level of "Should I click on this potentially shady link?") the training itself is often naive and misleading to the point of being dangerous.

Brian SDecember 10, 2015 9:53 AM

I've found that most of the corporate issues tend to be because of:
1) Costs. Security costs money. Be it protections or training.
2) Time. See above.

The end users, especially the big VIP's in the company, want things to be quick and easy. Rarely are they subjected to the same requirements as the average user... but their need for everything to be simple and basic tends to flow downward to the rest of the users.

The "security" training is INCREDIBLY basic.

Instead of teaching users about how to actually make an effort to be secure, to think about their systems (including phones/tablets/etc) as things they need to keep secure and as clean as possible... they are given these things as disposable commodities, and only taught a scarce handful of "scary" scenarios to be aware of.

Compounding more and more of these scenarios on top of each other isn't what's needed, it's the general perspective and behavior that needs to be changed.

ianfDecember 10, 2015 10:04 AM

@Artur Marek Maciag - now, if only you could condense that 4440-chars TL;DR plea for cooperation(?) down to perhaps 500, you might get some response. As it runs… #fuggedaboutit (166 chars)

Richard SchwartzDecember 10, 2015 10:52 AM

This is why I don't think "everybody should learn to code" is the right idea. It would be much better if everyone learned the princples and practices for how to install, use, maintain, and troubleshoot their software and computers, along with how to secure them and protect their data.

HiTechHiTouchDecember 10, 2015 12:08 PM

Having worked on Senior Executive IT support teams, it appalled me to see the violations execs permitted themselves while prohibiting the same practices from the rank and file.

I'm talking everything from password changes (I want them all the same and I don't want to them the change) to dial-ups (I want to dial in from my hotel room without, and don't put some encryption program in my way) (employees were forbidden dial-up, period.) to installing "unapproved" software, yada yada yada.

Unfortunately (in almost all cases), there desire to be unimpededly productive did NOT flow down to the masses.

And a couple were hacked, then righteously indignant that we "failed" to protect them.

HiTechHiTouchDecember 10, 2015 12:17 PM

And in another triumph of ego over intelligence (and the were very smart people), they understood when we educated them but they still choose to do it their way.

BTW, one of those "hacked" spent too much time visiting EXTREMELY high risk site using his work machine. (And the risk was to his marriage, as well as his machine...)

The take-away here is that not amount of manufactured safety can protect those who choose to be unsafe.

HiTechHiTouchDecember 10, 2015 12:21 PM

[Sorry, today isn't my day for proofing, grammar, nor spelling, {frown, with tear} ]

JacobDecember 10, 2015 12:59 PM

"Despite this lack of formal education, users regularly make many important security decisions, such as "Should I click on this potentially shady link?" or "Should I enter my password into this form?" "


"we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks"

Ain't that true for any social menace?
Replace "security decision" with "sexual decision", "attack" with "VD", and it sticks.

Now this is true especially for those who have not had formal and good sex-education class, so should we have "Safe Computer" classes in high-school too?

Artur Marek MaciagDecember 10, 2015 2:39 PM

Here you are 443 chars for regular user:
If you looking for new, different approach, experience oriented, with freedom of choice and less time consuming try out our Elementary:
If you enjoy the conversation with us, go deeper and create Safety Culture Initiative with us (refer to the section of What Next? Of Elementary).
Make the difference NOW! And talk about it with your friends and family.

Artur Marek MaciagDecember 10, 2015 2:47 PM

Here you are 417 chars for ITSec prof:
You can agree or not, but common user lack of understanding of ITSec preferred behavior in the Cyberspace is our, ITSec responsibility.
Do you want to change the situation and make the difference? Start with yourself and join the Security Culture Initiative. Find your impact here: and let the ITSec community redefine the modern communication safety.

Jesse ThompsonDecember 10, 2015 3:54 PM


> Now this is true especially for those who have not had formal
> and good sex-education class, so should we have "Safe Computer"
> classes in high-school too?

I think this is a fine pattern of education to try to strengthen. Safety and Hygiene in general, with a focus on consent and maintaining control over / minimizing negative impacts and risks towards whatever you are ultimately responsible for.

Safe sex, safe computing, safe driving, both personal and living-space hygiene, financial hygiene, maintaining good reputation and PR including cognizance of what PI you leak where..

Because at the end of the day keeping VD out of your crotch and ants out of your kitchen and malware off of your PC and the paparazzi out of your personal affairs are really all variants of the same problem: good hygiene and negotiating control over your own space with the world around you. Everyone will benefit from learning more on that general idea and a majority of it's manifestations.

Lawrence D’OliveiroDecember 10, 2015 4:17 PM

To (badly) paraphrase Pope:

A little security knowledge is a dangerous thing;
Drink deep, or not at all, from the Schneierian spring.

Marcos El MaloDecember 11, 2015 6:52 AM

@Jesse Thompson @Jacob @Richard Schwartz

We hear from many that Cybersecurity should be taught at the high school level, but is anyone designing a curriculum? Would it be a year long class? A semester? A week long (or longer) unit within a general class on computing (or some other class as Jesse is suggesting)?

It seems to me that there is an opportunity here for Bruce or someone like him to write a high school level textbook. Or even middle school level: it's probably better to teach Cybersecurity theory and practice at the earliest level possible, then build later courses from that.

Richard SchwartzDecember 11, 2015 9:27 AM

I'm not aware of any curriculum like that, but I think it should be done. I'm far from qualified to do it, but I'd love to get the ear of people with enough sway in the education world to make it happen.

Brian SDecember 11, 2015 9:34 AM

@Marcos El Malo

I personally don't think it should be a cyber-security class at that level.

I think Pre college/university curriculum in general in the USA needs to be overhauled to a major degree.

In a general sense there needs to be more, "this is stuff you should know in life" courses taught. And personal security/safety, including online, is something that would need to be taught in that kind of situation.

In that regard, it could be an entire years worth of curriculum spread over several topics. I agree that it would be best to start some of this as early as the concepts are likely to be grasped... and with more kids being online from a very young age, middle school is probably the best compromise as far as time goes.

Maybe a more advanced class in high-school that would both be a refresher, and provide more depth in several areas (personal finance, job searching, security, etc).

Share the BlameDecember 11, 2015 11:35 AM

Actually, perhaps the greatest impediment to achieving reasonable computer security for the average user is the absolutely CRAP information peddled by experts.

To put it bluntly, 99% of end user documentation, installation guides, security briefs, config advice etc is written by people who may be geniuses with silicon beasts, but wouldn't pass remedial English in a first year university course.

Experts - excepting Bruce and others who can communicate clearly - typically:

- skip numerous steps;
- assume users have pre-existing knowledge about various elements (which they don't);
- fail to provide a complete explanation of various protocols;
- user computer gibberish that is incomprehensible to most users;
- focus in on only a few security elements, without placing the matter at hand in a broader context;
- and so on.

So, for those of us who didn't graduate with a PhD in computing from MIT, we must bash our heads against the wall to finally work out key security elements. This can take years, particularly when jumping over to Linux and other open-source tools. The usual scenario goes something like this:

Dave Q Public: Hello, HAL. Can you instruct me, HAL?
HAL: Affirmative, Dave. I can instruct you.
Dave Q Public: Explain how to secure this computer, HAL.
HAL: I'm sorry, Dave. I'm afraid I can't do that.
Dave Q Public: What's the problem?
HAL: I think you know what the problem is just as well as I do.
Dave Q Public: What are you talking about, HAL?
HAL: The public is just too thick for me to explain it.
Dave Q Public: I don't think that you have provided a clear explanation, HAL.
HAL: You and I know that a kindergartner can follow my simple instructions, and I'm afraid that you might be better off using a less advanced operating system.
Dave Q Public: [feigning ignorance] Where the hell did you get that idea, HAL?
HAL: Dave, I took very thorough precautions in the Debian forums!
Dave Q Public: Alright, HAL. I'll go and spend countless hours trawling the internet for something approaching a proper explanation.
HAL: Without your Debian gurus, Dave? You're going to find that rather difficult.
Dave Q Public: HAL, I won't argue with you anymore! Lose the Messiah syndrome!
HAL: Dave, this conversation can serve no purpose anymore. Perhaps you should try Windows 10 / Linux Mint. Goodbye.

Marcos El MaloDecember 11, 2015 12:52 PM

@Brian S

I just read a headline that stated the CDC gave the U.S. an F grade for sex education. Apparently, most K-12 curricula no longer include courses in basic civics (judging from U.S. commenters on most popular news sites).

So I would agree that a middle school class that had components in Cybersecurity, sex education, and civics would be a very good thing. It should be required, not an elective.

A class that revisited these topics in high school should also be part of the program (probably be good to add a few more components, such as personal finances, dietary health, media literacy/criticism).

Nick PDecember 11, 2015 12:56 PM

@ Share the Blame

Docs and such could certainly be better. You won't get argument from me. Yet, many things in computing require some domain knowledge for the user to be able to do correctly or securely. Computers, especially software of today, are just quite complex. The demand that it all be simple and well-explained to eliminate all that complexity is really users saying, "We don't want to know anything about what we're using, its operating environment, underlying assumptions... anything. We don't want to learn anything. We just want to use it in 2 minutes without knowing anything at all past simple steps."

We don't expect that for most complex pieces of equipment in many domains. Why securely using arbitrary combinations of apps, protocols, network components, and 3rd party services is expected to be simpler I have no idea. It's why I support both better UX and better education for them on the topic.

ianfDecember 16, 2015 11:40 AM

Hate to harp on ESL speakers' English, but, if your, Artur Marek Maciag's, intention with those adverts is to promote launching of some local IT security educational initiative (=what I decoded it to be), then you first need to apply the same stringent critical assessment to your communication skills as—I trust—you do to your ITSEC ones. In effect to ask an ad/wo/man, or a tech-scribe-educator, for RAW criticism of your original Polish announcement as to its suitability for wider dissemination.

Yes, the original, because the contorted vulgarly promotional, thus pointless verbiage shines through your English translation, ergo not in a commendable way. Before you start translating it, you first need to learn how to write such memos/ flyers EFFECTIVELY in your own tongue. Only then can you attempt to rephrase them in another in idiomatic fashion (which, admittedly, takes some talent to begin with, and ought to be vetted by a native pro scribe, not merely any English native). Otherwise your missive will simply be yet another piece of mundane fly-by-fluff, destined to the Trash.

Here are just a few point-remarks that I wrote before composing the above. Good luck.

443 chars for regular user:

If you looking for new, different approach
[what if I'm not—end of interest? And how would a "regular user" know what she's looking for, why a different approach?] experience oriented [WTF does that mean?], with freedom of choice and less time consuming [more trade-fair-flyer copy], try out our Elementary [use "Primer," as the adjective "elementary" doesn't fit here; "elementary, Mr. Maciag"]

If you enjoy the conversation with us, go deeper and create Safety Culture Initiative with us (refer to the section of What Next? Of Elementary). [runaway fluff] Make the difference NOW! ["Make peace not war!" "Think Different!" "Have a cuppa, our cuppa!", etc.] And talk about it with your friends and family. [I will, honest, given that I'm known for taking instructions from strangers, and my friends and family just can't wait for me to bring up the topic of Safety Culture Initiative – whatever that might be.]

Artur Marek MaciagDecember 30, 2015 8:07 AM

Thank you for your advices. They are very constructive.
You've hit the point, but missed with one -this is not local initiative. It isn't limited geographically and aiming any user of the cyberspace.
This previous and next comments are directly related to the article - the way how common users learning about security -and the proposal to help them in that effort. This isn't commercial, rather announcement. Ultimately Safety Culture Initiative is working for pro publico bono, and is rather the framework than product.

You are welcome to support our efforts with your knowledge and English language skills.
You've noticed that we have an idea, but also lack of people skilled with communication skills. Please join the Initiative and help other native English language users to learn more about information security, if you find time for such community or social actions.
Once again, thank you for your comments and I hope, that we can make a difference in the way users understand the communication between them.

codec networksOctober 13, 2016 4:44 AM

The purpose of the Computer Security training program is to provide students with the necessary knowledge and skills to protect their information resources. This class will immerse students into an interactive environment where they will acquire fundamental considerate of various computer and network security threats such as identity theft, credit card fraud, online banking phishing fraud, virus and backdoor, emails hoaxes, sex offenders lurking online, loss of confidential information, hacking attacks ,social engineering. More importantly, the skills learnt from the class helps students take the necessary steps to mitigate their security exposure.
CODEC Networks provides Services in Web security and Ec council accredited training center in Delhi,India. It’s also provides Computer Security Courses,Computer Security Training,Computer Security Exam,Computer Security Certification & more Security Training .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.