Tuesday, February 28, 2006

user education is working

there is a fairly prevalent opinion in security circles that user education doesn't work... no matter how much you try to teach users, they never learn...

my retort to this is generally along the lines of "ok, give me your name, address, telephone number and credit card information and i'll prove you wrong"... obviously no one is going to give me that information and that proves them wrong - users of credit cards learned not to give that information out to every tom, dick, and harry a long time ago (we know they learned it because it's not knowledge they were born with)...

but sometimes that fails to convince, so here's a personal anecdote... i was out having a meal with some people not too long ago and the conversation briefly turned to email and the woman beside me (whom i had never met before and never coached in any way) said she tends to delete anything with an attachment... she was the first and only person to mention attachments during the brief discussion of email...

we're not talking about a security person or even necessarily a computer person here either - she's a school teacher and she's adopted a behaviour that was unheard of in the general populace 10 or even 5 years ago...

people never stop learning things, and netizens learn to adapt to the threats present in the environment they inhabit - how could they not? staying safe online is a competitive advantage and successful strategies will be discovered and adopted and spread like memes through the computer user population... they don't need to know the internals of how various threats operate or why certain safe-hex behaviours work, only that they do work...

0 comments: