Full Disclosure mailing list archives

Is user education a lost cause?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 20 Jan 2004 16:15:56 -0600

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Tobias Weisserth
Sent: Tuesday, January 20, 2004 2:54 PM
To: Mary Landesman
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Anti-MS drivel

We all agree that the people behind these attacks are the bad 
guys. But we can't change them, we can't eradicate them. We 
have to live with them.


To a certain degree I agree with you, however my viewpoint isn't quite
as bleak.  I believe there are *some* things we can do to at least
reduce the number engaged in this type of activity.

The one thing we can change though is 
accepting or not accepting the way vendors ship software.

What about changing users?  You don't allow for any of that at all?  I
think it's not only possible but will happen over time.  Just as people
learned the rules of the road for driving (and some seem to never
learn), I believe many will learn the rules of the road for the
Internet.  It just takes time, just as driving rules took time.  (In
fact, we're still learning, aren't we?)

I think one of the "security community's" basic responsibilities is to
educate users and to never give up on educating users.  After all, one
of the most important parts of our job is writing policy, is it not?  If
that's true, and yet we don't believe users can be educated, then why is
policy writing so important?  Obviously it's because we believe that
policy can change *most* users.  Yes, there will always be some small
percentage that are either stupid or combative, but the vast majority
just need to understand the risks in order to know how to behave in a
secure manner.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Is user education a lost cause? Schmehl, Paul L (Jan 20)
- Re: Is user education a lost cause? Ron DuFresne (Jan 20)
- Re: Yes, user education is a lost cause ;-) Tobias Weisserth (Jan 21)
- <Possible follow-ups>
- RE: Is user education a lost cause? WolfgangK (Jan 20)