The myth of user education presented at Virus Bulletin 2006

by Stefan G\xf6rling (Royal institute of technology),

Tags: Security


Summary : "Many discussions in the security community often tend to end in agreement that the only
way to really address many of our current problems is 'user education'. 'User education'
has in many ways become the default way to address the fact that our security environment
is becoming too complex for us to secure it using software or hardware appliances.
However, what remains to be discussed is whether 'user education' is a way to go forward
or whether it is merely a term used to avoid admitting our failure to create a secure
environment for our users/customers.
Is there any reason to expect that the users would be interested in educating
themselves? Is there any research indicating that 'user education' actually helps?
This paper aims to provocatively discuss two questions. First: should we expect our
users to be interested in education? After all, they pay us for taking care of this,
so that they can go on with their real work. Second: do we have any evidence that 'user
education' leads to a higher level of security? Do the users actually change their
behaviour in a way that mitigates risks? Are the risks we are seeing today addressable
by increasing awareness?"