Security education: we are doing it wrong
You ever have one of those moments where you read something which makes you smack yourself in the forehead because it points out how you've been looking sideways at a thing for all these years?
I recently ran across a paper written by Rick Wash of Michigan State University called ‘Folk Models of Home Computer Security'. It discusses some common definitions people use to explain their view of ‘hackers' and ‘viruses' and how these definitions are used to justify their security decisions. Actually, make that ‘security' decisions, with heavy emphasis on the air-quotes.
These folk-definitions neatly explain why botnets have been so successful, as they have been exploiting holes in common malware understanding. There are even lovely charts which correlate the perceived importance of certain security advice based on which folk model a person subscribes to.
Funny, not one of these models viewed strong passwords as essential. Same with most types of security software – apparently few non-technical people understand their utility. And I can't say that I'm surprised that people don't get why they should disable scripting in their browser.
The actions of botnets that are not accounted for in the current folk models are broken down into four statements:
- Botnets attack third parties;
- Botnets only want the internet connection;
- Botnets don't directly harm the host computer;
- Botnets spread automatically through vulnerabilities.
The absence of this information in folk models is partly because people's definitions of ‘viruses' and ‘hackers' were formed around the time of the Melissa virus. But more than that, the folk models focus on the perceived value of an individual's computer as an end goal. Obviously that is no longer the case.
This change in focus is a change not just in the world of malware, but in computing in general. Cloud computing, for example, is not interesting because it's one giant, monolithic computer. It's useful because of its distributed nature.
In essence, bot-infected computers are the cloud of malware-authors. This is admittedly not a useful metaphor for a potential folk-model. Does your Grandma understand cloud computing? Mine certainly doesn't.
This lack of understanding points to the root of the problem. Our efforts at security education have failed because people have not been able to form a metaphor which adequately explains the threat.
When new advice or threat-information comes in, people choose to ignore that information which they can't assimilate. All this time many of us figured, because we're the experts, people would just take our advice and follow it regardless of their own level of understanding. Clearly this is not the case. We need to take the time to explain why this advice is essential, not just assume they'll swallow whatever juicy morsels of wisdom we throw their way.
They do not adequately explain the threats that home computer users face; rather they focus on practical, actionable advice. But security education efforts should focus not only on recommending what actions to take, but also emphasise why those actions are necessary.