Are we wasting our time trying to raise security awareness among the general populace? Is it time to simply enforce security upon ordinary computer users? Cryptographer and security pundit Bruce Schneier seems to think that training aimed at raising the awareness of corporate employees “is generally a waste of time”.
Some of the analogies Schneier makes don’t really stand up to scrutiny. He mentions, for example, how years of health education haven’t stopped people eating badly and failing to exercise. But it’s a poor analogue for information security. The potential for bad health at some indeterminate time in the future is a vague and uncertain consequence of poor practices today. By contrast, having your bank account emptied or your company crippled by regulatory fines are concrete and easily communicated risks.
In the April issue of Computer Fraud & Security, Prof Steven Furnell examines the failures of the humble password, suggesting that people aren’t getting much better at using them and surveying some of the emerging alternatives. However, our poor state of security, and the apparent general malaise in security awareness, may not be just a case of people being stubbornly unaware of the risks.
In fact, I don’t agree that security awareness isn’t improving. Ordinary members of the public (I’m tempted to say ‘civilians’) using passwords to access computer systems is a fairly recent phenomenon. At the same time, technology is advancing at a rapid pace, becoming more complex and working its way into ever deeper parts of our lives. It may simply be outpacing our ability to secure it, and what we’re witnessing is not a failure to raise awareness but rather a slower rate of change in terms of our habits – a kind of cultural lag.
Just a few years ago, most people didn’t have wifi access points in their homes. When these arrived, more often than not they were left open. Now they are routinely protected by WPA encryption. Partly this is the result of better default installations by vendors and distributors, but I also see ordinary users understanding that it’s a good idea to keep their Internet access to themselves.
But, yes, the overall state of security awareness remains poor, and not just among users. Programmers and system designers – the people who would be responsible for imposing security upon recalcitrant users – are also at fault. Users might be regarded as being wilfully insecure when they choose ‘Password1’ as a password, but as Furnell points out, it meets Active Directory’s requirements for a ‘complex’ password.
Perhaps we need to spend more time promoting the positive benefits – to hold out a carrot as well as wielding a stick. It’s not easy: there aren’t that many direct benefits because security is often a negative thing – when you’re secure, bad things don’t happen. But there are gains to be had.
If you tell a friend to secure their wifi router because some bogeyman hacker might otherwise do bad things, you’ll get a shrug. If you tell them that their neighbour might leech bandwidth – the bandwidth the friend is paying for – making Netflix slower, then they’ll be more inclined to do something about it. Security becomes a benefit.
When I first installed a Linux mail server at home – so many years ago – one of the first services I set up was SpamAssassin, even though we had not a single Windows machine in the house. The reason was simple: eliminating malware-laden emails at an early stage made the whole system more efficient.
Some of that scales up. Security can make systems more efficient by dropping bandwidth-wasting malicious traffic. And if you can prove your systems are secure, through adequate pen-testing and other auditing methods, you might find yourself saving a penny or two on things like insurance premiums.
It’s tiresome to constantly view security as a negative – as a barrier or a filter. Let’s look on the bright side for once.