Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Education in Computer Security

by Ari Juels on 12/12/2006
Topics: Identity Protection | Phishing | Usability

It's hard to stand against education. Education means improvement and broadening of the mind. It is an incontestable good. Opposing education is like opposing democracy, equality, progress, and all of the other moral taproots of Western civilization.

So it is with computer security. Consumer education is one of the most frequently recommended antidotes to Internet security problems. It's hard to argue that consumers shouldn't be educated. But when I read advice on consumer education, I feel that someone's trying to pull the wool over my eyes.

The National Consumers League recently issued a collaborative report on phishing (a scourge to e-commerce). The top recommendation: greater consumer education. EPCglobal Inc., a major organization spearheading RFID (i.e., wireless microchip) deployment, has chosen a similar remedy to inflammatory consumer-privacy issues. Among EPCglobal's four policy guidelines are consumer notice and consumer education. (Does "education" teach someone how to understand "notice?")

Consumer education is everywhere. It's easy to find Internet sites educating consumers on an array of topics: art appreciation, medical safety, automobile safety, sustainable fishing practices, the benefits of low-fat/high-carb diets, the benefits of high-fat/low-carb diets, the benefits of cotton, the benefits of hemp, and so forth. What often goes unacknowledged is that consumers are not infinitely educable. Mindshare is a scarce resource; "educators" (and advertisers) are competitors for the consumer's stretched and limited attention. A policy that relies upon successful education presumes victory on a fierce and ever fiercer battleground.

In many cases, the goal of education is to inculcate consumers with simple messages of fundamental and enduring value, to teach lessons that save natural resources and lives. Such education is worth a little mental clutter.

Consumer "education" in security is altogether different. It is not about fundamental knowledge or betterment. It is really the practice of teaching consumers short-term tricks to navigate a broken system, of spreading guerilla tactics for the as-yet untamed jungle of the Internet.

The educated consumer, we are told, does not click on a link in a piece of e-mail unless certain of its authenticity. (See, e.g., the FTC guidance and that of service providers like Yahoo.) At the same time, people receive daily e-mail from their banks, brokers, etc., that offer the option of clicking on a link. Few people--even security specialists--are really confident in the authenticity of most e-mail. Even if consumers are ultimately "educated" to combat phishing, the phishers will turn to more sophisticated scams like spear phishing and pharming, as they are already doing. That's why computer-security education is a stopgap measure.

In stark opposition to the number-one recommendation of the National Consumers League report is its number-two recommendation: the user experience must be secure by design. In other words, security architects and educators need to educate themselves to build systems that don't require consumer "education" at all.

In the end, therefore, there's no reason to oppose computer-security education. But perhaps the most important goal is to educate the educators first.

Comments
User education

The best user comment I ever received was: We don't need a better explanation of the steps, or a better help file. We need less steps.

For a security developer's viewpoint, I consider it self-evident that the system may actually be usable is far more important than any security claims that may be made. These two viewpoints coincide when we think about what we are trusting the user to do. Are we trusting the user to read and understand the help in order to be able to use a system feature? When we do, expect problems. In addition, I believe that trusting user intervention even to simply update software is a very weak assumption.

Personally, I am especially interested in solutions that can solve current security and network problems without trusting user intervention or learning.

This is pretty much the only way to include the growing, large mass of users that see today's IT security as actually counter-intuitive to their experience.

When you want to send a secure email using public-key cryptography (PKC), for example, you need to first ask the recipient for her public-key. In conventional mail terms, this would be equivalent to asking the recipient for a self-addressed envelope before sending the letter. This is counter-intuitive. No wonder that users face difficulties when using PKC for email. For SSL, on the other hand, it works because it seems natural -- the site you wan to talk to has to introduce itself properly.

Ed Gerck, Ph.D.

- Ed Gerck
Critical thinking is needed ... but that's hard to cultivate.

A thought provoking text - thank you Ari.

In my view, it is essential for teachers _first_ and their students to value knowledge (of fundamentals) and love learning. We need to see beyond our own immediate experience; of course this is really hard, but we would get an invaluable payoff: Critical thinking that can be applied to just about anything... including computer security.

- Manolis Marazakis

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication