An article in InformationWeek has sparked some comments through the various security bloggers. I’ve decided to play devil’s advocate for a moment when it comes to user training. Basically, I’m just making a point or two, so don’t lambaste me too hard for being wrong or pessimistic. 🙂
the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don’t really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don’t care enough or maybe even find it cumbersome to change the time.
Similarly in security, not everyone wants to care about the technical ins and outs of security. They don’t want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don’t have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don’t educate themselves about their computer, just like it is easy for them to wonder loudly why we don’t get out more. 🙂 Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can’t make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I’m sure.
the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don’t smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.
This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling…)
Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.
Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.
The mishandling of data is one of the biggest problems, especially when we’re talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?