WatchGuard Wire
Improve Your Security IQ
Maybe you and I are to blame for stupid users
The current issue of Information Security magazine features an article billed as a point/counterpoint debate between two of my favorite security experts, Marcus Ranum and Bruce Schneier. The topic: Is user education working? (Free registration required, but readable online here.)
Marcus, widely credited as one of the inventors of the commercial firewall, has long been on record saying that educating users about security does not help network security one bit, and squanders the administrator's time. I tried contradicting him on the Firewall Wizards list, and wound up at the bottom of a dogpile of security veterans who all insist that educating users about network security is a futile, valueless pursuit.
So I was eager to see the sharp-thinking, estimable Bruce Schneier contradict Marcus. Which Bruce utterly failed to do. This "Face-off" amounted to two security technologists agreeing that user naivete is solved by using so much security technology, it's impossible for users to hurt themselves.
I continue to disagree strongly with both of them. Here's the letter I wrote to Information Security magazine:
"Marcus Ranum and Bruce Schneier both agree that educating users about security is futile. Both agree that the answer is to throw better technology at the security problem. Both of them are wrong.
"Is user education working?" is a different question than "Can user education work?" The problem with user security education is not that users are stupid. The problem is that most security professionals are inept educators. They don't remember what it was like to not know the stuff they know, so they do a bad job of conveying security knowledge to lay users. Thus, the answer to user-initiated security problems is not more technology. The answer is better curriculum about security.
"Is user education working?" also might deserve a different answer depending upon the size of your organization. We offer complete turn-key security training modules, called SecurityWise, to IT administrators, who use them to train their network users. SecurityWise has proven highly effective in small to medium businesses. Whether this same educational approach would scale up to a 20,000-seat network or a Fortune 100 company is unknown.
"Ranum in particular has stated on record over and over that educating users is a waste of breath. Ranum is brilliant within his field of expertise, but that doesn't guarantee he knows what he's talking about when he steps outside it. User education is a human problem, not a technology problem. There is nowhere near enough evidence to state with certainty that users cannot be trained to implement safe security behaviors. There is plenty of anecdotal evidence that they can.
"The real question is, Who has the skill to train them?"
An editor from the magazine wrote back, requesting permission to reprint my letter in the next issue. I'll be curious to see if anyone out there besides me thinks education is better than ignorance. -- D. Scott Pinzon, CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
