RE: The home user problem returns

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 13 Sep 2005, Scott Pinzon wrote:

> I've been watching with a certain morbid fascination as Marcus has
> ranted in his own blog and in FW-WIZ (and who knows where else) that
> educating users about security is one of the "dumbest ideas" and "if it
> was ever going to work, it would have by now." I have tremendous respect
> for you, Marcus (epecially since you have, I dunno, six times the years
> in computer security that I do). But I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.

Well, statistics would probably bear him out.  Anna Kournikova was big 
enough and fast enough that it *should* have been all the wake-up call we 
needed.  I remember talking to someone who recounted an end-user 
experience- 

Admin: "Why did you click on the virus, didn't you see all the press coverage?"
User: "Yes, I wanted to see what it would do!"

> -- Ignorance is never better than knowledge in any realm. But particular

My experiences don't run that way- there's lots of stuff I'm perfectly 
happy not knowing a thing about.  Ignorance is bliss. 

> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.

For about a week- maybe two.  Look at the password-for-pens studies and 
the password traininng retention studies.  While lots of users *do* want 
to do the right thing, you're ignoring the silent majority who just don't 
care.

> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you reduce
> that to 3 out of 100, you've improved that layer.

This is important for click-to-run stuff, where most people don't 
understand the level of not clicking that will make a piece of malware not 
global.  We need (last time I saw numbers I almsot agreed with) about a 
35% non-click improvement to have a good gain.

> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at companies
> that institute end-user security training. 

For how long?  Got any long-term citations?

> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago.  

Because they're still getting infected with click-to-run malware.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards