“During one meeting I had the opportunity to debate the pros and cons of user education. For the most part I am against education, which might be surprising to a lot of people. Here's why staying away from education can save your company money and keep you more secure.”
I agree user education has not, will not, and cannot achieve the results that we’d all like to see. Yet I wouldn’t advocate closing the classroom either. User education doesn’t need to comprehensive to be worthwhile. I think we need to reset our expectations and adjust our business practices with something more reasonable. User education only needs to be capable of catching/preventing SOME of the most stupid easy attacks bad guys might try, providing just enough of value to keep doing it. What I’d like to see is users begin viewing computer/Internet security as they perceive ATM/Debit Card security. For example:
|Don’t tell anyone your Debit Card PIN||Or your passwords|
|Don’t leave your wallet/purse (with card in it) unattended||Or your screen unlocked|
|Mask the keypad while you type in your PIN||Before of shoulder surfers|
|Don't give card numbers over the phone, unless you have initiated the call.||Beware of links in email out of the blue asking for your password|
The list goes on on things we tend to do naturally. This won’t stop more sophisticated card skimming attachments, fake machines, or massive theft of magnetic track data. These precautions are designed only to thwart a few simple attacks and help the user feel safer, which another piece of added value. For example, I think a growing percentage of users want to protect themselves from all phishing/trojan scams and we should continue assisting. Then focus the bulk of our attention on more effective methods as Rsnake describes. Personally I’d also be curious to hear RSnake’s thoughts about developer education because I think a lot of the same principals may apply.