The first decade of this century has seen an explosion of
information usage. Every aspect of our lives has been touched by
information technology. Our banking habits have changed. On-line
buying has become a part of our normal life. With all this, we have
also admittedly become more vulnerable to information insecurities.
Daily doses of stories depicting identity thefts, phishing attacks,
wireless attacks, and mobile phone vulnerabilities keep reinforcing
the need of awareness of information security. Every major company
seems to be doing its part of corporate social responsibility by
releasing big advertisements about safer usage of information
systems. Despite these efforts, the attacks do not seem to be
abating at all. Is it because information system attacks have
become more profitable or the end-users have become more careless?
Probably both these are contributing factors.
Recently I read an interesting article Folk Models of Home Computer
Security by Rick Wash of Michigan State University. This article
reinforced some of my observations about information security
education. The article states that people usually have mental
models about how things work and use these models to take
decisions. Folk models are mental models that are not necessarily
accurate in the real world, thus leading to erroneous decision
making, but are shared among similar members of a culture.
The article describes four folk models about viruses and four folk
models about hackers. These folk models give the general beliefs
that people have about security threats. The security decisions
taken by people are based on these general beliefs. There are
twelve items of expert security advice (given below):
- Use anti-virus software
- Keep anti-virus updated
- Regularly scan computer with anti-virus
- Use security software (firewall, etc.)
- Don’t click on attachments
- Be careful downloading from websites
- Be careful which websites you visit
- Disable scripting in web and email
- Use good passwords
- Make regular backups
- Keep patches up to date
- Turn off computer when not in use
These pieces of advice are thought to be,‘may be
applicable’, ‘not necessary’, ‘not
applicable’ and in only in some cases ‘important’
depending on the folk model believed by the people. In simple
terms, most people think that security experts provide advice that
ignore the costs of users’ time and effort, and therefore
overestimates the net value of security.
I found two items of great interest in the 12 items of advice. Item
number 5, ‘Don’t click on attachments’ and item
number 7, ‘Be careful which websites you visit’ have
been accepted by most people as important advice to be followed.
This shows that the folk model could be influenced by extensive
education. On the other hand, item number 8, ‘Disable
scripting in web and email’ has not been understood by
anyone, which shows the failure of security education. The biggest
shock is to find item number 9, ‘Use good passwords’
has not been found applicable by most users. This definitely is a
big failure of the security education system. It means we stress on
the use of good passwords, rarely explaining why a good password
should be selected.
We need to focus on improving the understanding of security
topics by everyone who uses information systems. We have to explain
the potential threats in a more effective way so that users
understand them and are motivated to use appropriate methods to
avoid the threat impact.
The Author is Director, COO amd Head of Delivery at
MIEL e-Security.