AOH :: ISN-3137.HTM

Security expert: User education is pointless

Security expert: User education is pointless
Security expert: User education is pointless 

By Joris Evers
Staff Writer, CNET
October 12, 2006

MONTREAL -- Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't 
select secure passwords, and they write down passwords and give them out 
to strangers in exchange for treats. They use old or outdated security 
software, can't spell the word "phishing," and click on all links that 
arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal 
Institute of Technology in Stockholm, Sweden, said in a talk at the 
Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or 
at a technology supplier, such as a PC maker, software maker, or an 
Internet access provider, which can cost a fortune. The solution, many 
technologists say, is to educate the user about online threats. But that 
doesn't work and is the wrong approach, Gorling said.

"Might it be so that we use the term and concept of user education as a 
way to cover up our failure?" he asked a crowd of security 
professionals. "Is it not somewhat telling them to do our job? To make 
them be a part of the IT organization and do the things that we are 
bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations 
in particular the security task belongs with IT departments, not users, 
he argued. Just as accounting departments deal with financial statements 
and expense reports, IT departments deal with computer security, he 
said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that 
seek to con them into giving up personal e-mail, he said. "Phishing is 
too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard 
all the time, he said.

"I don't believe user education will solve problems with security 
because security will always be a secondary goal for users," Gorling 
said. "In order for security to work, it must be embedded in the 
process. It must be designed so that it does not conflict with the 
users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a 
phishing shield in Web browsers, virus filtering in e-mail services and 
programs, and protection as part of instant messaging services such as 
Microsoft's Windows Live Messenger.

Gorling found fans and adversaries in the Virus Bulletin crowd. Martin 
Overton, a U.K.-based security specialist at IBM, agreed with the 
Swedish doctoral student. Most computer users in business settings just 
want to focus on work and then go home to spend the money they made, he 

"It really is a nightmare. User education is a complete waste of time. 
It is about as much use as nailing jelly to a wall," Overton said. 
"There is no good trying to teach them what phishing is, what rootkits 
are, what malware is, etc. They are not interested; they just want to do 
their job."

Instead, organizations should create simple policies for use of company 
resources, Overton said. These should include things such as mandatory 
use of security software and a ban on using computers at work to visit 
adult Web sites, he said.

IT staffers, on the other hand, do need training. And when they have to 
come to the rescue of a "click-a-holic" with an infected PC, it's 
possible under those circumstances that some preventive skills will rub 
off on the user, Overton said. "A bit like pollination, but without the 

Others at the annual conference for antivirus and security professionals 
advocated user education.

The trick is to know what you're talking about and to bring the 
information in a format people understand, said Peter Cooper, a support 
and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go 
to hell in a handbasket," Cooper said. "Education in every area works."

Microsoft has long been an advocate of user education. Matt Braverman, a 
program manager for the software giant, advocated the use of specific 
threat examples to inform users, such as samples of malicious software 
and e-mail messages that contain Trojan horses.

"If we can look at the most successful tactics that the user is likely 
to fall victim to, you're more likely to get the message through," 
Braverman said.

Jill Sitherwood, an information security consultant at a large financial 
institution, has seen education both fail and succeed. "I have to 
believe it works," she said. "When we give our awareness presentations, 
what signs to look for, I have seen a spike in the number of incidents 
reported by our internal users."

But online consumers are a tougher crowd to get through to.

"We have a special page on our Web site to report security incidents. We 
had to shut the e-mail box because customers didnt read (the page) and 
submitted general customer service queries," Sitherwood said.

Copyright 1995-2006 CNET Networks, Inc. All rights reserved.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods