Security expert: User education is pointless

Most office workers can't be made to care about phishing, rootkits or spyware, he says. Other specialists disagree.

MONTREAL--Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users."
--Stefan Gorling, doctoral student, Royal Institute of Technology

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard all the time, he said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.