By Joris Evers
Staff Writer, CNET News.com
October 12, 2006
MONTREAL -- Forget about teaching computer users how to be safe online.
Users are often called the weakest link in computer security. They can't
select secure passwords, and they write down passwords and give them out
to strangers in exchange for treats. They use old or outdated security
software, can't spell the word "phishing," and click on all links that
arrive in e-mail or instant messages, and all that appear on the Web.
That's the reality, Stefan Gorling, a doctoral student at the Royal
Institute of Technology in Stockholm, Sweden, said in a talk at the
Virus Bulletin conference here Wednesday.
When things go wrong, users call help desks, either at their company or
at a technology supplier, such as a PC maker, software maker, or an
Internet access provider, which can cost a fortune. The solution, many
technologists say, is to educate the user about online threats. But that
doesn't work and is the wrong approach, Gorling said.
"Might it be so that we use the term and concept of user education as a
way to cover up our failure?" he asked a crowd of security
professionals. "Is it not somewhat telling them to do our job? To make
them be a part of the IT organization and do the things that we are
bound to do as a specialized organization?"
In Gorling's view, the answer to those questions is yes. In corporations
in particular the security task belongs with IT departments, not users,
he argued. Just as accounting departments deal with financial statements
and expense reports, IT departments deal with computer security, he
said. Users should worry about their jobs, not security, he said.
It isn't productive, for example, to ask users to detect e-mails that
seek to con them into giving up personal e-mail, he said. "Phishing is
too hard to detect, even for experts."
And even if people can be trained, they can't be trusted to be on guard
all the time, he said.
"I don't believe user education will solve problems with security
because security will always be a secondary goal for users," Gorling
said. "In order for security to work, it must be embedded in the
process. It must be designed so that it does not conflict with the
users' primary goal. It can't work if it interferes."
Some examples of built-in security mentioned at Virus Bulletin include a
phishing shield in Web browsers, virus filtering in e-mail services and
programs, and protection as part of instant messaging services such as
Microsoft's Windows Live Messenger.
Gorling found fans and adversaries in the Virus Bulletin crowd. Martin
Overton, a U.K.-based security specialist at IBM, agreed with the
Swedish doctoral student. Most computer users in business settings just
want to focus on work and then go home to spend the money they made, he
"It really is a nightmare. User education is a complete waste of time.
It is about as much use as nailing jelly to a wall," Overton said.
"There is no good trying to teach them what phishing is, what rootkits
are, what malware is, etc. They are not interested; they just want to do
Instead, organizations should create simple policies for use of company
resources, Overton said. These should include things such as mandatory
use of security software and a ban on using computers at work to visit
adult Web sites, he said.
IT staffers, on the other hand, do need training. And when they have to
come to the rescue of a "click-a-holic" with an infected PC, it's
possible under those circumstances that some preventive skills will rub
off on the user, Overton said. "A bit like pollination, but without the
Others at the annual conference for antivirus and security professionals
advocated user education.
The trick is to know what you're talking about and to bring the
information in a format people understand, said Peter Cooper, a support
and education specialist at Sophos, a security company based in England.
"It is a long process, but if we admit defeat now we're just going to go
to hell in a handbasket," Cooper said. "Education in every area works."
Microsoft has long been an advocate of user education. Matt Braverman, a
program manager for the software giant, advocated the use of specific
threat examples to inform users, such as samples of malicious software
and e-mail messages that contain Trojan horses.
"If we can look at the most successful tactics that the user is likely
to fall victim to, you're more likely to get the message through,"
Jill Sitherwood, an information security consultant at a large financial
institution, has seen education both fail and succeed. "I have to
believe it works," she said. "When we give our awareness presentations,
what signs to look for, I have seen a spike in the number of incidents
reported by our internal users."
But online consumers are a tougher crowd to get through to.
"We have a special page on our Web site to report security incidents. We
had to shut the e-mail box because customers didnt read (the page) and
submitted general customer service queries," Sitherwood said.
Copyright 1995-2006 CNET Networks, Inc. All rights reserved.
Visit the InfoSec News store!