Bruce Schneier gave a speech of how human psychology affects computer security. Very true as security software is often too cumbersome to use. Email encryption is still not common place while SSL as an end-to-end encryption is. It’s easy to use and people have been trained to look for that little golden padlock in the corner before entering their credit-card. Yet I feel that there are a couple of things that could be done to encourage people to pay more attention when it comes to computer security related things. In my opinion this isn’t happening because:
- Most people are good and assume that other people are good too. They hold the door open for the guy that left his badge in the car, they click on the “cool link”, they open email that looks like it might be from someone important.
- Most people see security problems as something that happens to someone else. Most breaches are never publicized, some publicized breaches are so huge (millions of credit card number copied – yet nothing happens to them or anybody they know) – this enhances the belief in the low likelihood of problems. We feel save in a crowd.
- Most people believe they know what they are doing. Some other people are pretty learning-resistant when it comes to computers. I’ve heard some stories from companies in which the IT-staff is supposed to do user-training as well in addition to the external training the people received in the beginning (try to get accounting to explain to you over and over again how to file reimbursement claims). Maybe we really need a computer-drivers-test, but then again drunk driving can kill people while drunk computing can not.
- People get bored. Cry Wolf too often, ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click “Yes, I’m sure.” (This will be interesting with Windows Vista) We are constantly bombarded with awareness-programs which makes the IT-security awareness compete with many other awareness-programs.
- There is no incentive. Most people (employees) don’t face consequences when their PC is infected or the company database gets stolen. People have the neighbors kid come over to remove all the spyware from the machine and so on. Avoidable security problems like spyware turn into a “car maintenance problem”.
I think on the incentive side there is a lot that can be done. In the industry a lot experience has been gained with safety incentive programs to reduce accidents. I found a study cited on a website where it states that the reinforcing safe of acts “removes the unwanted side effects with discipline and the use of penalties; it increases the employees’ job satisfaction; it enhances the relationship between the supervisor and employees” (McAfee and Winn 1989). Properly designed incentives have the approval of the people to whom they are addressed, and are often preferred to other forms of safety motivation such as laws and policing. Probably some incentives could be created to educate the users and teach them safer computer practices. For example, to make people think more carefully about following links in email (phishing!) one could send fake phishing emails; if the user clicks on a link he gets on a page that informs him that this could have been trap and to always enter the URL directly into the browser address bar. It’s possible to track who clicked and who didn’t with specially crafted URLs in the emails. Similar things could be done with harmless executable attachments. I think this is a direction that should be pursued.