4:25 PM -- I had the pleasure of meeting some rather prestigious people while I was at the RSA Conference last week -- some of the most respected people in the industry in more than one way. During one meeting I had the opportunity to debate the pros and cons of user education. For the most part I am against education, which might be surprising to a lot of people. Here's why staying away from education can save your company money and keep you more secure.
Users tend to know they don't know much. They rely on their IT departments to keep them safe, and they call their kid brothers when their home computers go bad. They don't rely on their own expertise to keep them safe, nor should they. They are under-qualified. Just like you shouldn't be fixing gas mains, you don't want your employees to try to create their own secure environment. They will almost certainly get it wrong, and when they do, it will degrade the life of the equipment. Worse, it will cost IT resources to fix the issue, the employee will no longer be working productively while their laptop is in the shop, and you may actually lose confidential information in the process.
My esteemed colleagues felt that users aren't good at security because they aren't forced to be. They felt that the users should be held more accountable. If they mess up they should reap the negatives of their mistakes.
Somehow I think the security community has lost touch with reality. Users are already tormented by their mistakes. They get phished, they lose documents when their computers crash, and they have to buy new hardware when their computer becomes unstable. Users have been losing valuable time and resources for a decade now, and nothing has changed -- if anything the problem has gotten worse. No one has been better at explaining the perils of the Internet than the press itself. Yet phishing is on the rise.
Let's look at the evidence: Identity theft in some form or another has reached over 4% of the U.S. population according to the FTC (including both on and offline attacks). Phishers actually include trust marketing ("Don't click on any links in an email") with their own phishing emails. Lastly, the recent study by Harvard and MIT proved that Bank of America's Passmark security works in less than 10% of cases, and users are actually forced to pick their own photos.
Education isn't working. So what is the answer?
We (the security community) have to assume our users are going to fail at every turn. We have to stop trusting them to make their own mistakes. We need to take security out of their hands. No more local admin access. They don't control when and how patches are implemented.
They don't bring laptops home and bring them back without isolating them to run antivirus and anti-spyware applications. We do content filtering to ensure they are only clicking on trusted sites, or even go so far as to isolate Internet machines from intranet machines (virtual environments, etc.). The list goes on and on, but the reality is that if we don't do it, users never will for us.
Education only confuses the issue. We in IT are the only ones who give any hope to fixing the problems at the source -- among our own users.