Helping Users Protect Themselves

Some soundbites rom The weakest security link?  It's you, a recent article:

People are the weakest link.

Education is the first line of defense.

People are still not thinking before opening an (e-mail) attachment.

The big problem with educating employees on security issues is being able to track whether you're getting through to people.

Everyone knows about viruses, for example, but half the people don't have antivirus software.

While I agree that people are the weakest security link and even the world's strongest lock is useless if not used, I don't think that training employees about security and tracking security policy compliance is enough to fix the problem.

What's the missing ingredient?

Helping users protect themselves.

Just as training drivers all about driving hazards is useless if the driver is a blind, users can't protect themselves if they are not fully aware of what is going on around them.  Was there any suspicoius activities involving my account since last time I signed-in?  Is there someone accessing my online bank account at the same time I am?

If a hacker broke into your computer remotely and used it to send phishing e-mails or spams, how would you know?  Unexpected blinking network connection lights?  Something is wrong when it's easier to keep track of friends logging into their computers than strangers logging into our computers.

Unfortunately, most designers of today's security products see the user only as an input device: I'll give you access to these if you give me this and that.  This mindset encourages people to be more concerned about lossing access than gaining protection.  This is why people reuse passwords and write them down in easy to find places.

Security companies need to start thinking more about helping users protect themselves by providing more information about what is going on and letting them play an active role in security.  If something suspicious is going on, don't let the information sit until probability crosses some security policy thresholds.  Inform the user rightaway.  Remember that, to the user, no news is good news so they'll think what they are doing is all right unless they are warned away from dangerous edges.


p dir=”ltr” style=”margin-right:0;”>There are ways to inform the user without getting in their way too much or making them paranoid.  For example, if an e-mail message has executable or unknown file attachements, mark it visibly as potentionally dangerous.  Hyperlinks should always clearly present the destination URL to the user instead of hiding it behind a possibly bogus text.