Tuesday, February 13, 2007

User education is still worth it

Rsnake posted a very good read about Why User Education's a Bust

“During one meeting I had the opportunity to debate the pros and cons of user education. For the most part I am against education, which might be surprising to a lot of people. Here's why staying away from education can save your company money and keep you more secure.”

I agree user education has not, will not, and cannot achieve the results that we’d all like to see. Yet I wouldn’t advocate closing the classroom either. User education doesn’t need to comprehensive to be worthwhile. I think we need to reset our expectations and adjust our business practices with something more reasonable. User education only needs to be capable of catching/preventing SOME of the most stupid easy attacks bad guys might try, providing just enough of value to keep doing it. What I’d like to see is users begin viewing computer/Internet security as they perceive ATM/Debit Card security. For example:

ATM/Debit CardComputer/Internet
Don’t tell anyone your Debit Card PINOr your passwords
Don’t leave your wallet/purse (with card in it) unattendedOr your screen unlocked
Mask the keypad while you type in your PINBefore of shoulder surfers
Don't give card numbers over the phone, unless you have initiated the call.Beware of links in email out of the blue asking for your password

The list goes on on things we tend to do naturally. This won’t stop more sophisticated card skimming attachments, fake machines, or massive theft of magnetic track data. These precautions are designed only to thwart a few simple attacks and help the user feel safer, which another piece of added value. For example, I think a growing percentage of users want to protect themselves from all phishing/trojan scams and we should continue assisting. Then focus the bulk of our attention on more effective methods as Rsnake describes. Personally I’d also be curious to hear RSnake’s thoughts about developer education because I think a lot of the same principals may apply.


Anurag Agarwal said...

My take on developer's education is that it should be integrated at the level where they start learning programming language. Just like we want to integrate secrity in the SDLC instead of applying patches afterwards.

If we integrate security in the early stages of a SDLC, not only is it cost effective but also the entire product is more secure as compared to applying patches after the fact. Similarly if we integrate security as a part of the curriculum when they are learning how to program, they will be used to developing secure products as opposed to training them on security when they are set in their mind on how to develop a product.

Jeremiah Grossman said...

I get what your saying, but I'm asking more about how much effort and reliance do we put on developers education. For user educate I say we do it a little bit, have modest expectations, and put the bulk of our resources elsewhere that'll be more effective.

For developer education I wonder if this will end up being the same thing. Educate them a little bit, but put the majorty of the emphasis on development frameworks and other areas. I've not made up my mind on this, just wondering what others think.

Anurag Agarwal said...

How much is a tough question. I know there is a need for both. I agree with you - Frameworks by themselves are not a complete solution and developers education alone is not going to help either. So there is a need for developer education but how much is a tough question. I also think it will vary based on other factors. In the current scenario when the existing frameworks are not as mature (except for maybe visual studio), more developer education may be required but lets say 3-5 years down the line, assuming these frameworks do a good job, the emphasis on developer education can decrease

Jeremiah Grossman said...

Well put. We have the current situation as it stands. We need more developer education because we don't have access to the "secure" frameworks currently.

Andy Steingruebl said...

And this is why we cannot call people that develop software engineers. Engineers have professional standards, they have to be educated in their field, be certified, and are actually responsible for the quality of the things they produce.

With software engineers we have a lack of education, very little formality, trial and error, and no responsibility or liability for what is produced.

We don't get quality bridges, cars, MRI machines, etc. because we have good frameworks and good development tools. These simply help. We get good quality bridges, cars, MRI machines, etc. because we actually understand what the heck we're building and the engineers that design them know you're entitled to your money back, and to sue them, if something goes massively wrong.

I understand that developing software is hard, and in a lot of provable ways harder than designing bridges, cars, etc. I hear lots of excuses that we can't get better, that we shouldn't train developers to be better, and that we should just have really good mechanics out there to somehow fix the problems we're causing.

I think Anurag has it right in his comments that it starts at the very beginning when people are learning to program. And if we don't yet know how to train people to do it securely, maybe thats where we should be spending more of our time.

Andy Steingruebl said...

Ok, so here I am again and so quickly.....

Went and read Rsnake's article on this subject and I suppose there is a major difference to be had between

- User education
- Developer education

On the user education front we're facing a losing battle. We can't expect that users be experts on computers and the technology they are using. Just like we don't expect drivers to be experts, though we do at least expect minimal proficiency.

I haven't seen any studies that compare safety statistics between places that have different driver education requirements. We do know that in areas of complex equipment operation that those with more education and training do tend to have fewer accidents, mishaps, etc. Compare airline safety to auto safety. Apples and Oranges, but I'm willing to bet that even if we compared just simple types of single vehicle accidents we'd have a lot fewer of them in the commercial aviation space.

What the hell does that have to do with anything you might ask...

My point is simply that we have cases where we don't want people to be experts in a field but where we do want them to demonstrate a minimum proficiency in something in order to go about their daily life. I'm not sure that we should expect any less in the area of basic information security.

Do we want users to understand how to configure their firewall, etc. No.

Do we want users to have some basic ideas about computing safety much as Jeremiah says, yes.

txs said...

Again it's the security onion. You can't ever expect that one silver bullet is going to solve everything. Education in isolation won't solve the problem and neither will any of the other "Fixes" that RSnake mentioned. I'm actually quite in awe that he suggests anyone STOP user education. I agree with JG in that user education must remain, but there has to be a balance put into place regarding the amount of resources spent in education and elsewhere. This balance of resources has been the topic of conversation for a LOOONG time in the infosec world. Everything contains tradeoffs.

Minimal proficiency is the best idea. Whenever possible offload the responsibility to the more informed security/IT staff, but you can't ever offload all of it. It's just not possible.

txs ~-at-~ donkeyonawaffle ~-dot-~ org (www.donkeyonawaffle.org)

Jeremiah Grossman said...

Ahh, that "balance" word keeps coming up. You know what might be interesting is if we did a survey and polled people with a percentage slider on how much effort they should put into a particular solution. I'll have to think about how to do that.

Custom Term Papers said...

Very nice write up. Easy to understand and straight to the point.

Thanks for sharing.
and you did a really good job