RE: [fw-wiz] The home user problem returns

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 09/14/05

  • Next message: Bill Royds: "RE: [fw-wiz] The home user problem returns" 
    To: Scott Pinzon <Scott.Pinzon@watchguard.com>
Date: Tue, 13 Sep 2005 19:23:41 -0400 (EDT)

    On Tue, 13 Sep 2005, Scott Pinzon wrote:

    > I've been watching with a certain morbid fascination as Marcus has
    > ranted in his own blog and in FW-WIZ (and who knows where else) that
    > educating users about security is one of the "dumbest ideas" and "if it
    > was ever going to work, it would have by now." I have tremendous respect
    > for you, Marcus (epecially since you have, I dunno, six times the years
    > in computer security that I do). But I can't help feeling, in my
    > pipsqueak opinion, that on this one you're way off base.

    Well, statistics would probably bear him out. Anna Kournikova was big
    enough and fast enough that it *should* have been all the wake-up call we
    needed. I remember talking to someone who recounted an end-user
    experience-

    Admin: "Why did you click on the virus, didn't you see all the press coverage?"
    User: "Yes, I wanted to see what it would do!"

    > -- Ignorance is never better than knowledge in any realm. But particular

    My experiences don't run that way- there's lots of stuff I'm perfectly
    happy not knowing a thing about. Ignorance is bliss.

    > to network security, my experience is that most clueless users are also
    > people of good will who will cease dangerous behaviors once they
    > understand those behaviors ARE dangerous.

    For about a week- maybe two. Look at the password-for-pens studies and
    the password traininng retention studies. While lots of users *do* want
    to do the right thing, you're ignoring the silent majority who just don't
    care.

    > -- Educating users is another layer in "Defense in depth." If 10 out of
    > 100 users click evil email attachments, and through education you reduce
    > that to 3 out of 100, you've improved that layer.

    This is important for click-to-run stuff, where most people don't
    understand the level of not clicking that will make a piece of malware not
    global. We need (last time I saw numbers I almsot agreed with) about a
    35% non-click improvement to have a good gain.

    > -- Educating users has been proven to work at company after company.
    > Help desk calls, viral infections, falling victim to phishing emails,
    > and more, have been quantitatively and demonstrably reduced at companies
    > that institute end-user security training.

    For how long? Got any long-term citations?

    >
    > -- And how do you know "it" (educating end users) is not working? We
    > have no before/after comparison on what the Internet would be like if
    > all of us who preach security had stopped five years ago.
    >

    Because they're still getting infected with click-to-run malware.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Bill Royds: "RE: [fw-wiz] The home user problem returns"

    Relevant Pages