Who would be better prepared to face off against cybercrime? A high school dropout or a Ph.D.? The answers will surprise you.
If the decision were based on a quick game of Three-card Monte in a back alley, conventional wisdom might favor the dropout – or at least provide even money between them. But what happens when it comes to recognizing computer crimes and scams which cost much more than pocket change? Will street smarts win out over book smart when it comes to cybercrime victimization?
Perspective: Book smart vs. street smart quantified
Quoting from a recent cybersecurity study performed for ESET and Securing Our eCity:
Surprisingly, cybercrime victimization is also strongly related to education levels, and the more educated are more likely to be victimized.
As the chart shows, those who have not attended college are relatively immune to cybercrime. Among those with some college or a bachelors degree, victimization is at moderate levels.
But those with advanced degrees have really been hard hit: 18 percent in this group have been victims of cybercrime.
Although cybercrime tends to be even more prevalent among highly educated Americans who spend more time online, the victimization rate is high among those with advanced degrees – even among those who are on the internet less than three hours per week.
This strong tie between education and victimization suggests that cybercriminals may more often target those who earn advanced degrees.
My perspective: Criminals usually take path of least resistance
I could theorize that cybercriminals consider higher education to be where the money is that they want to steal; dot-edu's are considerably within the cybercriminalís purview. I disagree with the "targeted graduate" theory only because there is too much work involved and too many other willing victims to be reached through a broader approach such as phishing.
Perspective: Bulletproof monks
Again, from CERC October 2009:
Also, some hubris on the part of well-educated people along the lines of "this can't happen to me" may occur and lead to riskier behavior.
I don't find this assessment to be complete, but it does have some truth to it. I recall one key cybersecurity discussion a few short years ago with a nameless defense contracting company. The topic was whether to implement internal controls and fundamental cybersecurity measures or not.
One example of the poor security observed was the insistence on sending interoffice mail through an external (and commercial) mail server with no domain security measures in place.
While this added vulnerability could be described as a theoretical risk, the "Admin-Admin" login/password combination found on all systems was not to be ignored.
Yet the cybersecurity risks were difficult to communicate and harder to put into place as practices. This took a surprising turn as the hardest sells on the concept and value of security turned out to be with the most educated members of the senior leadership – the academics.
The main objection to implementing proper network security adoption was upheld by two of the Ph.D-level senior leaders. Both also had significant personal risk as stakeholders. Along with being highly educated, the same two objectors were majority shareholders in the small, closely held business.
Yet both doctoral graduates cared little for the details around implementing proper network security – whether expressed as a duty and responsibility to their armed forces clients or expressed as a risk to their intellectual property and personal livelihoods.
Therefore, drawing from my personal experience, I must agree to some extent that book smart victims may indeed be falling prey to a "bulletproof genius syndrome" of academia. Partly, I find this to be responsible.
As a CIO, the challenge is in the human element – the more they know or think they know, the less your audience will want to hear from you. Finding ways to target the best teachable moments will become the longest challenge.
In the upcoming posts we'll try to look at some of the factors of the book smart cybersecurity gap.
