Security expert: User education is pointless

Most office workers can't be made to care about phishing, rootkits or spyware, he says. Other specialists disagree.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
MONTREAL--Forget about teaching computer users how to be safe online.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

That's the reality, Stefan Gorling, a doctoral student at the Royal Institute of Technology in Stockholm, Sweden, said in a talk at the Virus Bulletin conference here Wednesday.

When things go wrong, users call help desks, either at their company or at a technology supplier, such as a PC maker, software maker, or an Internet access provider, which can cost a fortune. The solution, many technologists say, is to educate the user about online threats. But that doesn't work and is the wrong approach, Gorling said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users."
--Stefan Gorling, doctoral student, Royal Institute of Technology

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

It isn't productive, for example, to ask users to detect e-mails that seek to con them into giving up personal e-mail, he said. "Phishing is too hard to detect, even for experts."

And even if people can be trained, they can't be trusted to be on guard all the time, he said.

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

Some examples of built-in security mentioned at Virus Bulletin include a phishing shield in Web browsers, virus filtering in e-mail services and programs, and protection as part of instant messaging services such as Microsoft's Windows Live Messenger.

Gorling found fans and adversaries in the Virus Bulletin crowd. Martin Overton, a U.K.-based security specialist at IBM, agreed with the Swedish doctoral student. Most computer users in business settings just want to focus on work and then go home to spend the money they made, he said.

"It really is a nightmare. User education is a complete waste of time. It is about as much use as nailing jelly to a wall," Overton said. "There is no good trying to teach them what phishing is, what rootkits are, what malware is, etc. They are not interested; they just want to do their job."

Instead, organizations should create simple policies for use of company resources, Overton said. These should include things such as mandatory use of security software and a ban on using computers at work to visit adult Web sites, he said.

IT staffers, on the other hand, do need training. And when they have to come to the rescue of a "click-a-holic" with an infected PC, it's possible under those circumstances that some preventive skills will rub off on the user, Overton said. "A bit like pollination, but without the mess."

Others at the annual conference for antivirus and security professionals advocated user education.

The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."

Microsoft has long been an advocate of user education. Matt Braverman, a program manager for the software giant, advocated the use of specific threat examples to inform users, such as samples of malicious software and e-mail messages that contain Trojan horses.

"If we can look at the most successful tactics that the user is likely to fall victim to, you're more likely to get the message through," Braverman said.

Jill Sitherwood, an information security consultant at a large financial institution, has seen education both fail and succeed. "I have to believe it works," she said. "When we give our awareness presentations, what signs to look for, I have seen a spike in the number of incidents reported by our internal users."

But online consumers are a tougher crowd to get through to.

"We have a special page on our Web site to report security incidents. We had to shut the e-mail box because customers didn?t read (the page) and submitted general customer service queries," Sitherwood said.