Expecting people to reason outside of their experiences when confronted with a suspicious situation on their PCs probably isn’t going to work out well.
Thank you Bruce Schneier. It’s a painful truth he’s spoken about people and computer security in an excerpt of an interview he did with Educause, but one that needed to be repeated.
Unless someone is immersed in technology, and the potential hazards malicious people present to inboxes and browsers, they simply aren’t going to interact with their PCs with the same level of care a security pro will.
Schneier put it this way:
There’s nothing we can do to educate users, and anyone who has met an actual user knows that. Users are going to pick up their knowledge from their experiences. You can try to teach them stuff explicitly, but it’s not going to stick in the same way that experiences do, and unfortunately, the experiences often don’t match our reality, whether it’s an experience of fear, an experience of an attack, or an experience of no attacks. Rather than focus on what can we do to educate users, we need to focus on building security that doesn’t require educated users.
In February 2007, Schneier talked about an optimism bias that often motivates people to take a risk where they should not. This hinders their decision making, and in computer security can mean clicking a link, downloading something, or sending money electronically to a Nigerian prince so he can get even more money out of a bank and share it with his new friend.
As we have harped on a few times, security for networked machines must be pushed out to the gateway. If an 11-year-old manages to figure this out, what needs to happen to take the fight to the borders on a broad enough scale to put people like the Russian Business Network criminals or the (allegedly) state-supported Chinese info specwar operatives on their heels?
People can be made aware to a point about the threats out there. Should we consider it a failing of information security that they are still exposed, at home or in the office, to any number of attacks that need one moment of weakness to wreak havoc?
We denigrate users for their actions, but the person who ends up with a bad case of PC ebola probably isn’t a stupid or malicious individual. They make the decisions based on their experiences and desires. It’s not even inherently evil, just ill-considered.
One may think this discussion stands a step away from a suggestion of some overly-controlling, Big Brother-ish mechanism to control the flow of data. Control is needed, but there is no reason an effective approach can’t be one with openness as to its methods and the kinds of data it stops at the gateway.
Audits and accountability. Checks and balances; I’m sure I heard about those in school.
We live in a scary world. The Fear doesn’t end by locking the door and firing up the PC. Effective, trustworthy electronic security should be a goal on a national scale. It will take cooperation between networks, solution providers, and yes, the denizens inside the Capitol Beltway too.
The need is more necessary than ever.