Is User Education Working?

By Bruce Schneier
Information Security
April 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus's side can be found on his website.

Marcus, you ignorant slut.

Okay; that’s unfair. You’re not ignorant. You understand technology and security. You’ve spent years steeping in the stuff. You’re fluent in computers – and most importantly – in computer security.

The average users are not. They might be fluent in spreadsheets, or eBay, or sending stupid jokes over e-mail; but they’re not technologists, let alone security people. So of course they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile.

Part of the problem is generational. We’ve seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach these newfangled technologies with trepidation, distrust, or confusion, while the children who grew up with them understand them intuitively.

But while the don’t-get-it generation will die off eventually, we won’t suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there’s no time for any generation to become fluent in anything. Remember when e-mail was plain ASCII and you didn’t have to worry about it? Today, e-mail can contain executable code. Tomorrow, who knows? Maybe we’ll be able to click on attachments with wild abandon. And maybe ten years from now it’ll be dangerous yet again.

Earlier this year, researchers ran an experiment in London’s financial district. Someone stood on a street corner and handed out CDs, saying they were “a special Valentine's Day promotion.” Many people, some of them working at sensitive workstations in banks, ran the program on the CDs at their work computers. The program was benign -- all it did was alert some computer on the net that it was running -- but it could just have easily been malicious. CDs walking in through the front door bypass all sorts of network security countermeasures, and most companies have policies against employees doing this. The authors of this study concluded that users don’t care about security. That’s simply not true. Users care about security; they just don’t understand it.

I don’t see a failure of education; I see a failure of technology. It shouldn’t have been possible for those users to run that CD. It shouldn’t have been possible for a random program stuffed into a banking computer to “phone home” across the Internet.

The real problem with computers is that they don’t work well. The industry wants to have it both ways. They’ve convinced everyone that people need a computer to survive, and at the same time they’ve made computers so complicated that only an expert can maintain them. Corporate users get by because there’s an IT department a phone call away; home users rely on the charity of their more sysadmin-inclined friends or suffer in silence.

Computers need to be secure regardless of who’s sitting in front of them.

If I go downstairs and try to repair the heating system in my home, I’m likely to break all sorts of safety rules -- and probably the system and myself in the process. I have no experience in that sort of thing, and honestly, there’s no point trying to educate me. But my home heating system works fine without my having to learn anything about it. I know how to set my thermostat, and to call a professional if something goes wrong.

Punishment isn’t something you do instead of education; it’s a form of education. It’s a very primal form of education, best suited to children and animals. (And experts aren’t so sure about children.) I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.

earlier essay: Let Computers Screen Air Baggage
later essay: Why VOIP Needs Crypto
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..