Security for the Average People

http://www.theregister.co.uk/content/56/32672.html

The article up here really caught my attention.
It is sort of something I have been thinking for a while now.
We need to give more education to the end users, not to scare them with complicated matters.
The world of IT Security in particular, keeps a great distance between who's working in the field and who's not. Who is not working in ITSEC, the normal people that compose a huge percentage of Internet hosts… they just don't understand the matters enough.
Telling them to apply patches, to set up firewalls, to use antiviruses and to respect our known, consolidated best practices is not going to fix the situation. We use a language that is not immediately understandable, too technical, too detailed, lacking analogies, metaphores, etc.

We don't need to scare them.
The approach of scaring people to push them to protect themselves is not a good approach.
Because that's what we do. Or better, that's what the IT industry and the press mainly do.

And Beware: I don't mean only scaring them against the problems and the risks. That might even be acceptable.
What I am afraid of, is that we scare them about the solutions to the problem!
When they hear or read of a virus named with twenty different names, with several numbers to understand which is the right patch to put on… even the more determined "normal people" give up.
I still see people at my work coming to me asking for help with their home pcs, and I am dispensing floppies with removal tools and patches… and a couple of words of awareness.
Tools and patches are not enough on their own.We need to TALK to them.

People need reasons, as they tend to move aside from what they do not understand.
And computers are still not understood by the big masses.
They might be using them. This does not mean that they are actually feeling confident at all about them.
The PC revolution has allowed the computers to get out from datacenters and to populate the living rooms of the average families.
Well, most people just want to use this technology as an improved TV…. reading news, sending mails.
They don't necessarily want to be involved or just to bother listening to scary stories of hackers, unnumbered lists of security bulletins, or patches, or viruses.
Let's be serious for a moment: my mother finds a videorecorder still cumbersome to use, but she does sends emails and surfs the web. How is she supposed to understand the concepts of bugs, exploits, patches, and so on?
They normal users still keep a semplicistic approach to the problem, similar to that they would have for a car: "when it is broken I'll have someone fix it". They don't understand the consequences that this kind of technology can take with it. And we are just about to give this technology an extra boost of capillarity, pushing internet on mobile telephones and various devices…
IPv6 is designed to cover an immense address space, with the backing idea of providing each individual a large number of addresses for each devices.
Who is going to explain to that granny, tomorrow, that the thieves got into her house and deactivated the alarm of the house having gained elevated privileges with a buffer overflow on the old software (not patches) of the dish-washer, which is networked with the rest of the world?
People don't want to become insane running after their technology gadgets.
We, geeks, might do, but the rest of the world doesn't.
They just want to use technology that makes life easier, not more complicated.

We need to make "simple people" aware of the ever increasing importance of security, but I would rather be happy of doing that by showing them that it is not as complicated as we present it now. They have to get aware that with each one of us following best practices, we can keep the whole world in a better state. We are citizens of the Net, and we have to be "good neighboors" to the other inhabitants of cyberspace. When our security means not being a pending danger for th other IP addresses (think of a worm spreading…each one ontaged becomes – unwillingly – an attacker), maybe the message gets through.
It might evoke/awake that bit of love that people still have for each other.

But in order for this to be effective, we have to support our explanations, our "transmission of knowledge" with a simple language. And we have to support it with first line initiatives.
For example, there are different kinds of broadband providers: there are those whose commercial pushes the message "your pc is connected day and night! WOW!" without showing ANY possible negative side. Being on the internet day and night might be nice, but it does carry risks. And those risks don't get usually explained.
A loud "BRAVO !" goes to those which give them a personal firewall package as default part of their package, instead. Showing an effort to protect them.
It's kind of having all the cars being equipped with seat belts, which is what it happens today: everybody uses a car, still we are aware that it is risky.
Well, this risk is not "visible" to the standard, end computer user.
We need to show them the risk in clear terms, and provide them adequate protection out of the box.

We need to simplify their involvement, but making them aware that they ARE indeed involved.
They are involved in keeping the internet a better place for everybody.
To achieve this we have to help them grasp what happens.
With simple language. With examples.
With Solutions, but without high costs.

What can we gain? The Internet will be a better place.
What we risk if we don't? The Internet itself. The TRUST of people in the technology itself.

Who knows – as the article I quote at the begining says – if we might finally convince people not to open attachments….

Leave a Reply

To prevent Comment Spam, we use Asirra, a Human Interactive Proof that will require you to click on pictures of Cats to set them apart from those of Dogs, rather than filling in some unreadable, distorted string of obscured and dodgy letters.

It should be easier and take you just as long.

We promise that no animal will be harmed during this classification process.