“I don’t believe user education will solve problems with security because security will always be a secondary goal for users,” Gorling said. “In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users’ primary goal. It can’t work if it interferes.”
His first sentence is correct. It is true, user education will not solve our problems. If education solved our problems, we would have a different president right now.
Indeed, as I always say, security is a secondary goal, even for developers and network administrators, let alone your average regular user. Functionality is always first, i.e. getting things done. “Getting it done securely,” while a way for managers to package in security as just as important to getting it done, is still just a qualifier to “getting it done.”
The second sentence is correct as well, we need to embed the process as much as possible. The systems needs to be more protected from dumb users or just simple mistakes in judgement. The network needs to be more protected. This is the real key where prevention systems come into play. Detection works wonders, but the assumption that users will make mistakes means you need prevention, mitigation and incident response, and audit trails (detection and logging).
And then his last few sentences are the real problem. We have to do these security things without impacting the user’s primary goal of getting things done.
Now, I really believe education will not solve our problems, but it will go a LONG way toward helping. Just because education doesn’t solve all our problems is not a valid argument to say we should throw our hands in the air and not do any education. I like the mention in the article about giving users some education while actually attending to a problem. This is highly effective and focused education that can have an impact. Education makes an impact and some people do want to learn and be better about it, but it is true, it won’t solve ALL our problems. But the speaker is correct, we shouldn’t hold up education as the root solution to our problems.
It is highly important to make sure security does not unduly interfere with employees getting their jobs done. However, this goes both ways. Employees need to be receptive to changes in their job. A security-induced change may not even impact users if they were to just adopt the new way of doing their job. Sometimes this battle between security and usability is just human nature being stubborn and unwilling to change, even if those changes result in less work for the user.
I’ve slowly become a minor proponent of having less rules and less impact on users. I detest rules and limitations on my computer use at work, which impacts my happiness and thus my productivity. Now, I may be a bit more progressive in my use of the Internet than many people that I work with, but slowly, attitudes will change as more and more people enter the business world that have grown up with a computer in their rooms and their social lives have long incorporated the use of a computer through web pages, blogs, IM use, email, music, and so on.
We still need education, but we also need to make sure we do our professional diligence on the back systems and networks before dictating what users can and cannot do. And I truly believe we need less rules, overall, in our businesses. We just need smarter rules and enhanced incident response. Rules stifle innovation and happiness, and we need both in our businesses.