helping home users be more secure: just a dream?

I started out the week pointing towards people doing some thinking. I figure I’ll end the week the same way.

Bruce Schneier posted an article about home user security knowledge I really like, since I’ve been saying the same thing, roughly.

At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don’t see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they’re available to help me recover if something untoward does happen to my system. Home users have none of this support. They’re on their own.

Absolutely true. When I purchase a car, do I have a manual on how to tune and maintain it or troubleshoot it when things go wrong? Do I even get to see the standard specs for safety and security? Hell, do I get a lesson in changing my oil? Nope. And we expect people to “get” the much more ephemeral workings of a computer when not everyone has nearly the logical mind that most techies have? Yikes!

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn’t any other way.

I agree, although that doesn’t mean we should dump user awareness totally. But really, corporations (and us geeks!) need to buck up and help their own employees at least a little. Training at work about security and computer usage will carry over into their home life. If nothing else, perhaps they can bounce home computer questions off the cyber talent present in the organization. I know us techs hate troubleshooting home PCs, but giving free advice is not nearly as painful.

What digs at this approach, however, is while advice is free, most people just want someone else to do it and do the thinking, the dirty work. Not everyone is into computers as much as us geeks, and they simply don’t want to be. Just like I don’t change my own oil, and really don’t want to be troubled with it, despite how necessary it is to protect my investment. Anything beyond “don’t install random things,” and “don’t click links in email,” is still too much to trust most end users to understand.

Sadly, we have a huge computer security industry now, and they simply will not let someone like Microsoft put out a solid, more secure OS. Which puts us in a real bind… In the end, insecurity may just be a permanent reality, just like crime in general is a permanent reality, or home insecurity is a permanent reality (when assuming cost is realistic).