I've written previously on how blaming users is a flawed approach to security. Recently, in an interview with Educause, Bruce Schneier opined:
Users are going to pick up their knowledge from their experiences. You can try to teach them stuff explicitly, but it's not going to stick in the same way that experiences do, and unfortunately, the experiences often don't match our reality, whether it's an experience of fear, an experience of an attack, or an experience of no attacks. Rather than focus on what can we do to educate users, we need to focus on building security that doesn't require educated users. That will be much more resilient, because while there are some educated users, there are a lot of noneducated users.... For example, my mother is never going to be a security maven—not because she's stupid but because it's not her area of expertise. And we can't expect it to be. If I say, "Look, Mom, you didn't know enough to do this and that, and you deserve to get hacked," I think that's blaming the victim....
(Emphasis mine)
Users aren't going to act securely. It's worth reiterating this message until the security industry finally decides to "get it" and start accepting responsibility for security problems, rather than passing the buck.
Showing posts with label usereducation. Show all posts
Showing posts with label usereducation. Show all posts
2008-04-06
2007-11-24
Proper customer email correspondence
Despite the expenditure of a great deal of effort, users are still ill-prepared for email-borne threats. Much of this is due to the mixed messages users receive. We tell users to not click on links in email to strange websites, then send them surveys from third-party companies they've never heard of and encourage them to participate. We tell users to not open attachments they're not expecting, then send out broadcast messages to many recipients with a PDF containing the information they need to read. When I say "we," I don't mean security analysts, but rather employers, service providers, vendors, etc. It's no wonder users still have no idea when they can and can't click on a link, or open an email or attachment.
I get my car insurance from Progressive. Yesterday, I received the following email. This is the type of actions that are needed to maintain user diligence and continue to leverage email as an effective communication mechanism.
======================================================================
I get my car insurance from Progressive. Yesterday, I received the following email. This is the type of actions that are needed to maintain user diligence and continue to leverage email as an effective communication mechanism.
======================================================================
Important changes are coming soon to your Progressive e-mails.
======================================================================
Dear MICHAEL CLOPPERT:
We're writing to let you know about some important changes to your
Progressive e-mails to ensure that you continue to receive and
recognize them.
Please note these key changes in your e-mails over the next few
months:
- E-mails will be sent from a new address:
customerservice@email.progressive.com
Please add this e-mail address to your address book or approved
senders to ensure that our e-mails reach you.
- Links in the e-mail will point to re.progressive.com instead of
re.progressivedirect.com.
==============================
Dear MICHAEL CLOPPERT:
We're writing to let you know about some important changes to your
Progressive e-mails to ensure that you continue to receive and
recognize them.
Please note these key changes in your e-mails over the next few
months:
- E-mails will be sent from a new address:
customerservice@email.progress
Please add this e-mail address to your address book or approved
senders to ensure that our e-mails reach you.
- Links in the e-mail will point to re.progressive.com instead of
re.progressivedirect.com.
Subscribe to:
Posts (Atom)
