Monday, December 31, 2007

user education from a different angle

this is rather old but back in september, mike rothman posted an introduction to security mike's guide to internet security and while i was reading it a light bulb went off in my head...

i'm not sure a book (the guide is an ebook he sells, though there's portal and blog associated with it) can really start the kind of grassroots security movement mike is aiming for... i think there are inherent barriers in the scenario that would inhibit that, in fact... for one thing, the security knowledge that is supposed to be the currency of that grassroots movement is bound to an artifact (the ebook) and that artifact's distribution is controlled (more or less) by a commercial business model (mike put effort into that book and rightly wants to get paid)... the end result is that people have to want the knowledge in that book.. they have to want it bad enough that they're willing to pay for and read the book and that means that to some extent mike is probably going to wind up preaching to the choir...

what really piqued my interest, however, was the question that came to mind of whether or not those barriers could be removed... obviously the book could be made free, that would be one barrier down, but the knowledge contained within it would still be bound to it... in order to get the knowledge you'd need to get the book and in order to pass on the knowledge you'd have to pass on the book... passing the knowledge on from one person to the next is clearly a requirement for mike's grassroots security movement, and in the broader context that security movement sounds an awful lot like the "culture of security" i've often heard we need... but culture tied to a book just doesn't seem like it would be successful now... it certainly was in the past when books and culture were inexorably linked, but that time ended long (on the order of centuries) ago... what if the information could be passed from person to person without the book? perhaps not all as one big chunk but rather piece by piece... what would that look like?

then it struck me - that would look like a meme... a unit of cultural information that replicates from one mind to another by way of imitation... so then i set about trying to learn more about memes (did anyone miss me in october?) because i didn't (and still don't, really) know all that much about them... what i found was that virtually all culture can be regarded as being memetic in nature, whether it be religion or consumerism, politics or littering (you didn't think memes were the exclusive domain of lolcats, did you?)... in fact, once you have an idea of what you're looking for you start being able to see it in all sorts of things...

as an aside, even going to school and reading books and learning things the old fashioned way are memetic, so you might be wondering why a security ebook wouldn't be just as successful... the reason has to do with the hook for the meme... up to a certain age you have to go to school, it's not even a choice, but if you want to be even moderately successful in later life you need to get good grades and not flunk out - which means reading the books and learning the material... later on, if you want an even better life, you enroll in post secondary education and read books and learn material so you can get your diploma, get a good job, and so on... what's in it for you as far as a security guide goes? do people generally want to learn about security? is it going to make a clear and obvious improvement in the quality of one's life? will there be frat parties along the way or hot guys/girls to chat up in class? no, a security guide doesn't have nearly as much going for it from a memetic hook point of view as academia does and academia isn't exactly the most successful meme either (just look at how relatively few participate in it compared to religion or tv watching, for example)...

another thing that i've learned is that in order to use memes to disseminate security knowledge (or at least promote more secure behaviour) it's going to be necessary to engage in memetic engineering in order to construct suitable memes - though i'm still looking for better sources for what's involved in meme synthesis and/or meme splicing because so far my best attempts have turned out to just be meme hacks... now, if you're thinking that memetic engineering sounds a bit like social engineering, well, you'd be right and the irony of using such a technique for good instead of evil is not lost on me... i suppose you could call it a kind of white-hat social engineering...

the more interesting bit of irony (to my mind at least) is that using memes to help people make themselves more secure against malware and other security threats means using something with similar properties to the most well known form of malware - viruses... indeed, memes have even been referred to as viruses of the mind... it is this very viral quality that i think needs to be exploited in order to reach a wide enough group of people to "suffocate the bad guys" (as mike put it) and bring about the "culture of security"...

0 comments: