Firewall Wizards mailing list archives
RE: The home user problem returns
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 13 Sep 2005 19:23:41 -0400 (EDT)
On Tue, 13 Sep 2005, Scott Pinzon wrote:
I've been watching with a certain morbid fascination as Marcus has ranted in his own blog and in FW-WIZ (and who knows where else) that educating users about security is one of the "dumbest ideas" and "if it was ever going to work, it would have by now." I have tremendous respect for you, Marcus (epecially since you have, I dunno, six times the years in computer security that I do). But I can't help feeling, in my pipsqueak opinion, that on this one you're way off base.
Well, statistics would probably bear him out. Anna Kournikova was big enough and fast enough that it *should* have been all the wake-up call we needed. I remember talking to someone who recounted an end-user experience- Admin: "Why did you click on the virus, didn't you see all the press coverage?" User: "Yes, I wanted to see what it would do!"
-- Ignorance is never better than knowledge in any realm. But particular
My experiences don't run that way- there's lots of stuff I'm perfectly happy not knowing a thing about. Ignorance is bliss.
to network security, my experience is that most clueless users are also people of good will who will cease dangerous behaviors once they understand those behaviors ARE dangerous.
For about a week- maybe two. Look at the password-for-pens studies and the password traininng retention studies. While lots of users *do* want to do the right thing, you're ignoring the silent majority who just don't care.
-- Educating users is another layer in "Defense in depth." If 10 out of 100 users click evil email attachments, and through education you reduce that to 3 out of 100, you've improved that layer.
This is important for click-to-run stuff, where most people don't understand the level of not clicking that will make a piece of malware not global. We need (last time I saw numbers I almsot agreed with) about a 35% non-click improvement to have a good gain.
-- Educating users has been proven to work at company after company. Help desk calls, viral infections, falling victim to phishing emails, and more, have been quantitatively and demonstrably reduced at companies that institute end-user security training.
For how long? Got any long-term citations?
-- And how do you know "it" (educating end users) is not working? We have no before/after comparison on what the Internet would be like if all of us who preach security had stopped five years ago.
Because they're still getting infected with click-to-run malware. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The home user problem returns, (continued)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns lordchariot (Sep 13)
- RE: The home user problem returns Behm, Jeffrey L. (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns Scott Pinzon (Sep 13)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Jim Seymour (Sep 13)
- Mitigating MS risks [Was: home users] Tina Bird (Sep 14)
- RE: The home user problem returns StefanDorn (Sep 22)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Paul D. Robertson (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns David Lang (Sep 14)
- Re: The home user problem returns Michael Cassidy (Sep 22)
- RE: The home user problem returns R. DuFresne (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 22)
- RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns R. DuFresne (Sep 14)