Should Users Have To Be Security Experts?
from the probably-not dept
Many computer security procedures rely on users — often average users with no special training — to behave in certain ways, such as by figuring out what emails are legitimate and what’s a phishing attempt, or what wireless networks are okay to connect to, or what’s a safe web site to visit, and so on. There are some problems with this, though: even to educated users, it’s becoming harder and harder to tell what’s a scam and what isn’t, and in many cases, users that know better make certain decision that can risk security for the sake of convenience, or ease of use. Because of this, one security researcher says the industry needs to quit focusing on user education and behavioral change, arguing that security should be integrated into users’ tasks, not interfere with it, and be handled by trained IT and security staff. This seems pretty clear in a corporate environment: employees shouldn’t have to spend time handling what’s essentially an IT function instead of doing their actual job. In any case, this approach also doesn’t seem effective, judging by the ever-growing number of security problems, not the least of which all the cases of laptops with huge amounts of personal information being lost by or stolen from employees. While some measure of user security education and action will likely be required in the future, reducing the burden placed on individuals and increasing the use of automated systems, whether by reducing and controlling risk, or putting embedding more security functions in the network or software like web browsers, seems the way forward. Indeed, many companies are already taking this approach, whether by putting anti-phishing features in browsers, or by working to control and lessen the effects of security breaches.