Comments on: Security expert: User education is pointless

Most office workers can't be made to care about phishing, rootkits or spyware, he says. Other specialists disagree.

[Jim Hubbard]

This article is pointless....

While I agree that users are stupid, that is because they choose to be so.

CNET and countless other websites offer free PC advice to keep users safe. It's not that they don't know or don't understand (I mean, really, how hard can it be to understand "don't take candy from strangers"?), it's that they don't give a damn.

Users want what they want, when they want it...like little children. And, like little children, they will make bad choices that get themselves hurt from time to time.

Does that mean that we revert to green screen mainframe apps with absolutely no access to anything but the company apps?

Well, you could - at a cost of reduced productivity and innovation versus your competition. Or, you could just fire those that refuse to abide by the simple rule "don't take candy from strangers".

In all probability, if they are too simple-minded to follow this rule, they are a danger to you, your staff and your company.

Fire them now.

[ademers]

Computers are like cars

Sure, it's not my job to know everything about the inner workings of the car. That's what mechanics are for. It is my responsibility to take basic care of the car.

Clicking every link sent to you, visiting every porn site, not checking for suspicious files as you download them, not using antivirus software, installing random 'free' crap (such as 'free' msn smilies, etc) is akin to neglecting your car's needs. If the consumer takes a sludgehammer to their car, doesn't get a regular oil change, hits speed bumps at 70kph, floors the pedal on a cold engine all the time, and urinates in the gas tank, the car will eventually stop working properly, and it's the owner's fault for abusing it. However, when people do the same to their computers, it's the IT department/software vendor's fault? Come on people, seriously.

Yes, it's the IT peoples' job to do the regular maintenance and repairs. However if the person using the machine abuses it, it's going to fail no matter how good your security setup is. The sooner people know how to take basic care of their machines, the better.

[Jonathan]

Follow the $$$

Part of the problem is simply that companies are unwilling to spend money on training. The former company I worked for they started downsizing IT. One of the first people to get the ax was the training department. The last being my job as network admin. When I left you could ask someone to go into their file browser and you would get a blank look. Amazing what 4 years without someone to train your people will accomplish. I'm sure that a good custom made virus distributed via social engineering could bring this company to their knees all because they won't spend money on educating their employees.

[Jim Hubbard]

What if doctors were like users?

What if your doctor refused to read the manuals about that new surgical laser because he had a backlog of patients to cut into?

What if your pharmacist refused to educate him/herself on the drug interactions of medications that you were taking?

What if your doctor just dodn't have the time to go to "Open Heart Surgery 101", but was about to cut you open and repair your damaged ticker?

I admit it, these are all extreme cases. But, should an office worker NOT be required to educate themselves before using thier equipment also?

The doctors get basic training (at thier expense) BEFORE they enter residency at a hospital. You should only hire workser who have done the same.

It's not the workers fault. It's your for hiring them.

[oconnmic]

IT Attitude Adjustment Needed

One programmer to another, "I'm going to make this really user friendly. Even more user friendly than control+alt+delete!"

Seriously, as an educator I can understand the frustrations of trying to teach but an attitude of condescension toward the learner is not a good start.

[oconnmic]

Giving out passwords

How about the IT departments who don't change the password that comes with the program when it is installed. One place I worked at it was not uncommon to be able to modem into a site and when prompted type the default password and get full admin acess. And what about those IT "professionals" who put a file on the end users computer with the username and password so they can access it when they have to work on that machine. Stupidity is a two way street.

[unigamer69]

Modem? What's dat? =;o)

You say "modem into" a site.. what's that thing you call a modem? =:oD

It's a museum piece, I think. Or close to it. =xoD

(Seriously though, I guess they tend to be used as backup.)

[bbaston]

Linux - not Windows

I looked for mention of Microsoft Corporation and its monopolistic position in contributing to the breakdown in computer security.

What is needed is a fundamentally secure platform upon which to operate. Or one with fewer than a thousand seive holes per CPU cycle. Or Linux.

Seems Bill Gates rules our independent thinking here?

[unigamer69]

Fundamentally secure? That's a non-sequitur.

You get enough lines of code, there'll be plenty of bugs. It's a basic rule of the universe.

It doesn't matter what OS it is - and I'm saying this while using Linux!

[richto]

But Linux has far more holes than Windows

But Linux has far more holes than Windows (see CERT). And takes on average twice as long for critical holes to be patched. (See several whitepapers on the siubject).

So if everyone used Linux the problem would be far worse....

[mattumanu]

once every what?

You do updates once every six months? New updates come out every month.

I've been runing this computer on the original installation of windows for nearly two years. I use AVG antivirus, windows firewall, automatic updates and adaware, and that's it. I've had two viruses ever, and one of them was questionable because there was no consensus as to what it really was. I'd love to own a mac, but I don't believe it would be too much better than what I've got right now.

Also, owning a mac wont help a user who surfs for porn, downloads "free" screensavers and uses filesharing programs to illegally download both music and movies. Users who engage in such behavior get what they deserve. Companies who do not have strict rules concerning computer useage get what they deserve. If all the PCs in the world suddenly turned into Macs tomorrow it wouldn't help save users from themselves. They'd still be surfing for illegal mp3s, pirated movies and porn (possibly even child porn), they's still click on email attachments that are questionable, they'd still fall victim to phishing and other scams, they'd still mess around in file folders they shouldn't be messing around in... They'd still have kids buggering up thier computers! They would still be buggering them up themselves!

Keep in mind the standard profile of a standard user, regardless of type of computer or operating system. On thier own personal PCs they use thier computers to gather up huge collections of (mp3s/movies/porn[jpgs and movies]) till the computer crashes, then reinstall the operating system and start all over. These same users go to work, and on the computer they have at work they engage in the same behavior (emailing thier mp3s/movies/porn[jpgs and movies] to themselves while taking advantage of the T3 speeds at work), but instead they call IT to fix the computer after they've buggered it up. Hackers simply use this stupid behavior to thier own advantage.

But I'm told that better security programs and buying a mac will fix all of that. Riiiiight!

[Bob H in NPR]

So it's alol our fault?

I have read the first 48 responses to this article. Nobody addressed the issue of inexperienced users, except to call us lazy and stupid. Everyone is talking about networks. What about all the small businesses, schools, and individual users? We don't count? Cripes, first you guys create a foreign language for these things and keep adding new words. Then we are supposed to automatically know all there is to know about about these systems and all the different security problems and how to fix them. Meanwhile these problems are constantly changing. It is our fault that Internet Explorer has to shut down often because it has been attacked by malware?

How come some of the most effective web tools are produced open source. Firefox, Opera, Linux, Unix, and hundreds of others which are more secure than the big MS comglomerate tools. Mac builds a more secure machine and operating platform. Almost all of MS patches are concieved and released for free by outside resources before MS admits there is a problem. And now MS is ready to introduce a system that will lock out all current Anti-bad-bug tools that have kept the Web & the Windows platforms useable for years.

But we end users are supposed to keep the Web operating by adopting half measures? What a joke!! If it was Gm or Ford, you all would demand recalls, up to including the paint. If a seat belt breaks, they get sued & lose. It is time for the largest monopoly in the world take responsibility.

[mattumanu]

Re: so it's alol our fault?

~~So it's alol our fault?~~

Yeah, it is, Bob%20H%20in%20NPR... How in blue blazin' screens did you manage that?

[guyfrom2006]

Check out NetAlter

A new system is being developed which will be virtually Virus and Spam free. The product is due to ship out in 2007.

[Joe Koskovics]

This person is destine for the board of directors

In the degrading comments about end user e-attitudes , security, and e-lifestyles, I feel the comments made were from someone who wants to be king.

The comments only go to promote failure. And you can not condition people into failure...period. Otherwise you will get exactly what you ask for. Failure to properly inform, educate, and encourage safe computing lifestyles (whether it may be at home or work) is reckless.

Where is this individual planning to work, HP?

[Wiz Wildstar]

Self Preservation

Having read all the previous posts, I have noted that there is a lot of comment centered on the IT departments responsibility for end-user security. I agree that the IT staff IS responsible for network security and maintenance, However the end-user is also responsible for their own station.

The concept of "You get what you can handle" has been the accepted policy in society for centuries, and it should be no different in the world of computing. Much of the responsibility should fall on the executives in charge of personnel and staffing. Just because you give someone an airplane, does not automatically make them a pilot! If someone continues to crash their plane, they should be afforded an opportunity to learn how to properly handle it. Then, if they continue to crash, it's time to pull their license and ground them.

The idea of "reworking" the internet from the ground up is overly extreme. The world is full of natural barriers and hazards, and mankind has found ways to build bridges over, under, or around them. However there are still those who will choose to leap from these bridges. Unfortunately, in the world of computer networking, they are holding each others hand, and when one goes "over the edge" they can take many others with them.

Basic understanding and education ARE a major requirement. Mommy and Daddy taught us not to step into an open manhole, or walk blindly acroos a busy street. So it should be with those who are expected to use a computer in their daily workday lives. Learning to use a file browser and passwords are as basic a rule as not chewing gum while giving a presentation, or launching spitballs at the teacher. If they can't follow these simple social rules then they should not be allowed to "play" with the hardware! It's that simple.

In todays society, the "everyone wins and no one loses" concept is not even close to realistic. You are not "entitled" to internet access, or for that matter even a computer at your workstation if you cannot follow the IT rules of the company. Period! If you want to surf the porn sites, IM everyone on the planet, or check your personal e-mail, go home and trash your own computer, NOT the bosses.

I have worked on thousands of systems over the last 20 years and almost every system security breach has been caused by user ignorance, both end user and IT "professional". Not that they were "ignorant" people, in most cases far from it. But because they were placed in a position to use equipment/software they did not fully understand.

As with every field of expertise, there are different levels of experience and ability. No one would expect the guy at the "quick lube" to rebuild the engine in their car, or go to a podiatrist for a heart problem. So it is with computing. Just because someone knows how to set up a computer does not mean they are an IT pro, and vice versa. Executive management tends to base its decisions mainly on financial factors, not qualifications. Maybe it's time the boss was a little better educated before he blames a janitor for crashing his prized network!

fin.

[MadMark]

Good Article About Stupid User Tricks

Check out this article from e-Security-Planet, regarding a Cisco security behavior survey, entitled "How insecure do you think you are?"
http://www.esecurityplanet.com/trends/article.php/3637806

Cheers!
Mark

[wshrader]

Shame on the Virus Bulletin conference for giving this nut the platform

All that I can imagine is that Stefan Gorling is using this controvesial stance to make a name for himself - hope he never has to look for a job.

[howiem]

User education is just one of many tools

Unless and until there is complete technology based security, educating users is another necessary tool. Gorling talks mainly about the corporate environment, but what about home users? The operating systems available are not completely secure, there is no defense against phishing except getting users to create links in their browser favorites and never use anything but those links to access websites where they can lose money through a phish. I've been educating users for years and it works...not 100% because some don't get it, some don't want to get it and others are just careless, but for most they try to understand and learn. This rant of Gorling is reminiscent of the Hawthorne effect. Maybe someone needs to give Gorling a lightbulb - after all, he is getting far too much attention, and still doesn't get it.

[Sentinel]

Pointless Indeed

Working as a support technician for more than three years, I belive Gorling is correct. User education yields little or no results at all. I remember a few months ago a user called because "his machine was too slow". When I went to have it checked out, he had installed every possible toolbar, free screensaver and free game ever to exist on the Internet on his PC. Acutally that is an exxageration, but he did have about seven different "search bars" on his IE, and had screensavers for most of the major holidays. After I cleaned his PC and told him why I had to erase all his "nice" screensavers, he said he understood, but a few weeks later the toolbars were back! Any word from the IT department restricting resources or access to sites is viewed as "the lazy IT people not wanting to do their job".

By the way, restricting file types don't work either. On our company, sending of .doc files was prohibited, but just rename them as .txt and they go through. Also works for IMs. So much for Windows security.

[H Voyager]

Computer security is just as important as physical security

And depends just as much on employee's carrying out proper practice, as it does on Security personel.

Trust me, no matter how good a company's security guards are, they're near powerless to stop an employee from spilling the beans on their company's latest product, if the employee's themselves aren't tryign to guard that stuff.

While it is up to the site security division to fit the locks, and write the proceedures, it's up the the employees to lock the doors and keep their mouths shut.

Harry Voyager

[wbenton]

Internet License Required

You are required to have a valid driver's license prior to driving a car.

The SAME should be done for internet driving (errr... browsing).

If you want to access the internet... you must have a minimum skill level.

No need in lowering the bar to meet the weakest link...

Raise the bar and make it a requirement to learn how to properly/safely access the internet or else deny the ability to access the internet.

It would solve the zombie problem. It would shore up our weakest link. It would make people responsible for what they do on the internet.

Nothing bad about that at all.

Much better than lowering the bar!!!

You cannot protect the obiese from eating too much... thus no need in reducing the average per/serving food intake served at all restaurants all over the US to curb obiesity!!!

Walt

[Black_hole]

education isnt always point less

some people are just computer illiterat and no mater how hard you try to teach them they will never learn but the prople who ar like that ussualy dont use computers for more than a ocasonal web search or if they have an email they will check that
but these people are the realy old 50+ or where around during the infincy of the start of the computer age and dont realy need it butt for any one under the age of 40 they should at least be able to know how to kep themselves safe on the internet education is the key there but if the stupid companys would just make there protecton programs a little simpler than it would be alot easyer

[mooselite]

User Education

Sure, if your goal for user education is to get your users to be the primary means of defense for your network; you are wasting your time. However, with a layered approach to protecting your network, you have to include the users. There are advantages and disadvantages to user education, but if implemented correctly (with accurate, attainable goals), user education provides another defense mechanism for your network. However frustrating it may be, it is certainly not a waste of time.