Security education: We're doing it wrong
Have you ever had one of those moments where you read something that makes you smack yourself in the forehead because it points out how you've been looking sideways at a thing for all these years?
I recently ran across a paper written by Rick Wash of Michigan State University, called "Folk Models of Home Computer Security". It discusses some common definitions people use to explain their view of "hackers" and "viruses," and how these definitions are used to justify their security decisions.
Actually, make that "security" decisions, with heavy emphasis on the air quotes.
These folk definitions neatly explain why botnets have been so successful, as they've been exploiting holes in how malware is commonly understood. There are even lovely charts that correlate the perceived importance of certain security advice based on which folk model a person subscribes to.
Funny, not one of these models viewed strong passwords as essential. Same with most types of security software – apparently few nontechnical people understand their utility. And I can't say that I'm surprised that people don't get why they should disable scripting in their browser.
The actions that botnets take, but which are not accounted for in current folk models, are broken down into four statements:
- Botnets attack third parties.
- They only want the internet connection.
- They don't directly harm the host computer.
- They spread automatically through vulnerabilities.
The absence of this information in folk models is partly because people's definitions of “viruses” and “hackers” were formed around the time of the Melissa virus.
But more than that, the folk models focus on the perceived value of an individual's computer as an end goal. Obviously that is no longer the case.
This change in focus is a change not just in the world of malware, but in computing in general. Cloud computing, for example, is not interesting because it is one giant, monolithic computer. It is useful because of its distributed nature. In essence, bot-infected computers are the cloud of malware authors. (This is admittedly not a useful metaphor for a potential folk model. Does your grandma understand cloud computing? Mine certainly doesn't).
This lack of understanding points to the root of the problem. Our efforts at security education have failed because people have not been able to form a metaphor to adequately explain the threat. When new advice or threat information comes in, people choose to ignore that which they can't assimilate.
All this time many of us figured, because we're the experts, people would just take our advice and follow it regardless of their own level of understanding.
Clearly this is not the case. We need to take the time to explain why this advice is essential, not just assume they'll swallow whatever juicy morsels of wisdom we throw their way.