Dartmouth Cyber Security Chief: More Attention Needed To Human Element In Security

From http://threatpost.com/en_us/blogs/d...ttention-needed-human-element-security-122911:

 

User Hungry Man would disagree...

 

Well what are they expecting those who do attempt to teach to do? I mean do we pull a Pavlov or what? Users have access to all they need to know, vendors and even the media warn them year after year about the same dangers. They have free tools at their disposal and many places like this to give them advice on using those tools, those of us who deal with users all the time have thrown firewalls, sandboxes, AVs and God knows what all else at them, and they either complain until we remove them, remove them themselves or bypass them.

I'm not going to keep saving a users butt if they repeat the same behavior over and over, and I'm not going to keep repeating the dangers and how to avoid them until I'm blue in the face. Facts need to be faced, the majority of users just don't care, and we can't force them to.

 

^Indeed, classical conditioning just doesn't work.
It will take blunt operant conditioning by negative stimulus; only when the proverbial excrement hits the fan (money/data stolen/hdd encrypted), lots of folks seem willing to change their behaviour.

 

There's only one way to get people's interest... $... Pay them to be educated, and they will have all interest in it.

It usually works for other education matters...

 

Agreed. I can count on one hand the number of clients who have even attempted to apply what I tried to tell them. Those PCs are running fine. With the rest, it's the same problems over and over.

Several years ago while cleaning what I was told was an excessive popup problem, I found a data theft trojan whose purpose was catching logins and enabling the cleaning out of bank accounts. The owner took me serious and called the bank and caught the transactions in process.

Pay people to learn cybersecurity? Who would pay for this on the scale required? I'd suspect we'd end up paying people to
"go thru the motions" treating this as an income opportunity more than a real learning experience. IMO, the typical casual users shouldn't be using standard PCs. They should be using the equivalent of Live CD operating systems that they can't infect. Even this isn't a complete solution as it doesn't rule out social engineering tricks that convince them to give out info that they shouldn't.

 

In other words there's not jack crap anyone can do. Users are going to be users until they've been burned so badly it forces them to chance. Security vendors make far too much money pushing the same "security" that they have since the web began and malware writers/hackers are going to keep going at it as long as there is money or some "cause", and you're sure as hell not going to catch them all.

 

Yep. Users don't care and it's not their job to. You don't need a license to use the internet nor should you - that's a quick way to give the government far too much power over information.

Leave security to the developers. Want to educate users? Please, please go ahead. I love that they're trying. But attackers will always be smarter than the average user and that's never going to change.

They are right to the extent that right now investing in more antivirus software is just a waste of money. There isn't a single product out there that handles security properly so we live in a world in which system admins can either say "Software isn't good enough" or "Users aren't good enough" and it's always easier to point to the user.