Share
During the session I took part in while in Spain, one of the topics on the panel was end-user training. Consider that end users are the ultimate target by cyber criminals and you have to wonder how you can best protect them if you work in security. At the same time, is the effort in training worth it? Why train them when you can pass on the issue of end-user security to a government, company or other third party?
Is end user training working? Is it worth the effort? (IMG:J.Anderson/S.Ragan)
End-user training is important; I am a strong proponent of this. The only way to protect an end user is to make them aware of the problems online and what security risks they face. This task, however, is easier said than done. When asked during the first part of the panel to give my thoughts on the state of security with regard to the end user, I stated that security now is no better than it was yesterday.
To explain this, we have new security tech, new tools, and new science, sure. Yet, we have the same problems with protecting the end user. This led to the second aspect of the introduction given by every member of the panel, a prediction for the future of security. Here I pointed out, as long as criminals have a motive for financial gain, seen as easy prey in the form of end users, the cat and mouse game of security will continue.
Ending with the third aspect, a recommendation on what to do about security for the end user, I agreed with Javier Villacañas that end-user awareness training is needed (Francisco Lago mirrored this line of thought also). However, I added that training is not enough. As a security professional, you can preach and teach the masses until you turn blue, but if you cannot relate to them in terms and ideas that they can grasp, you will fail to reach them.
My exact words were that we have blogs and security media, but users do not understand them. And, as long as they don’t, we will continue to see the same errors time and time again. Andy Willingham, one of the other experts on the panel, agreed with this and pointed out that, “it falls on those of us who know security to spread the word.” His idea is that the training should involve substance and not just PowerPoint presentations.
The question is, how can we train users who don’t want to be trained? How can you stress the need for security when most users neither understand nor care? You can’t, and this is why the cat and mouse game will continue.
At this point in the talk, Bruce Schneier mentioned that the issue with end-user training is generational. The younger set online understands security education, the need for it, and they care about it. The older set does neither of these things. This is the way it has always been really, not just with security, but with any technology.
As kids we all had technological or culture gaps with our parents. For example, my parents have only been online for about three years now. My kids cannot understand how they ever communicated, shopped, or entertained themselves in the past without a computer or Internet access.
So if you cannot train end users, then should you pass the buck, so to speak, and let government and businesses secure the end user? This is already done for the most part. Taking a page from Bruce Schneier, banks and credit companies do this all the time. The government passes the buck from the user to the bank, which absorbs most of the cost of a cyber crime based on credit-card theft. A user only needs to pay about $50 USD in most cases, or sometimes nothing at all. Now, the issue is that by shifting security to just one party over another creates an imbalance.
Byron Acohido said that 90 percent of the problem is not down to the end user. If a product is launched with security problems, that is not an issue that the end user needs to address (example: operating system security flaws are not the problem of the end user). He has a point; the end user cannot control development. There is also the issue that developers cannot assume control over the security of the end user. This is where you can see a clear imbalance.
Another issue is government regulation with regard to end-user security. If the government mandates security in software or goods and services, then we all benefit. This assumes you are into government controlling business on that level, because once it does, then costs for said goods and services will go up, resulting in the consumer paying more for no more security then they have today.
The balance is that government, businesses, and users each need to play a role and work together when it comes to overall security. This opinion, shared by most of the panel, would ultimately benefit everyone. The trick is reaching that level of cooperation and making it work.
However, once the security industry reaches that level, end-user training will be a big part in it. The training will come in layers. Users will need to know the threats; this includes what they are and how to spot them, and in terms that relate to everyone and not only the younger more tech-savvy generation.
The second layer is training on what businesses are doing to protect the end user, and what types of security are available and in use. Again, for this to work, businesses need to use explanations that are cross generational. Lastly, the government needs to stay far away from directly running things, but at the same time create laws and policies that keep business in check and hold them to a standard that protects the business itself as well as the user.
Again, it looks good on paper, but the trick is making it work.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story