The myth of user education
Stefan Görling Royal Institute of Technology, Stockholm
Many discussions in the security community often tend to end in agreement that the only
way to really address many of our current problems is 'user education'. 'User education'
has in many ways become the default way to address the fact that our security environment
is becoming too complex for us to secure it using software or hardware appliances.
However, what remains to be discussed is whether 'user education' is a way to go forward
or whether it is merely a term used to avoid admitting our failure to create a secure
environment for our users/customers.
Is there any reason to expect that the users would be interested in educating
themselves? Is there any research indicating that 'user education' actually helps?
This paper aims to provocatively discuss two questions. First: should we expect our
users to be interested in education? After all, they pay us for taking care of this,
so that they can go on with their real work. Second: do we have any evidence that 'user
education' leads to a higher level of security? Do the users actually change their
behaviour in a way that mitigates risks? Are the risks we are seeing today addressable
by increasing awareness?
Who in your company is responsible for installing software patches?
Leave a comment
The final VB100 of the year sees a double whammy of potential
pitfalls for our comparative participants - the
Vista operating system, which still seems shiny
and new as well as a little scary (to both developers and users), as well
as the x64 architecture, whose ostensible compatibility with standard
32-bit software belies oddities and intricacies that developers ignore at
their peril. The announcement of the test brought a few surprises, as
several regulars opted to skip this one, but the majority of veteran
competitors took part as usual, along with several newer faces, many of
whom look set to join the ranks of our regulars.
See full results.
Virus Bulletin currently has 148,281
registered users.
