Recently during an event at a University, I had the pleasure to participate in a panel discussion and it did not take too long until I was heavily in disagreement with the professors there. The reason? It became a discussion around consumer security and risk management. The claim the professors made was, that the consumer has to assess the risks of their actions.
Well, I am a believer today that this will not work (even though it would be preferable). I definitely agree that everybody should take responsibility for all the actions a person is doing. Nevertheless, there is a strong "but". Let's go back in history a little bit:
My grand-uncle was a farmer. Where he lived, nobody ever locked the doors - there was no reason to do that as there was nobody anyway who was interested getting into the house (at least it never happened) and he did not have too many valuables at home anyway. So he did a "risk assessment", looked at the "assets" and decided to do it that way.
When my parents later moved to the city where I grew up, it was normal having the doors locked and using keys: Different risks, different assets. We learned risk management on physical security over thousands of years and generations passed their experience over to the next one.
Now, look at the Internet. I finished my Master of Computer Science 1992 and the Internet was never seen there during my studies. It was shown to me about 2 years later by a student doing his internship (and I thought that I will never use this stupid thing but this is a different story). My parents probably got in touch with the Internet 1998 - so 9 years ago and we really want them to assess risks with this amount of experience?
Additionally see how the threat environment changed over the last 10 years: The writers of Blaster, Slammer and Sasser have been mainly vandals bragging about what they were doing. Today we see the organized crime investing a lot of money to fool my parents into doing something they do not want to and how are they trained?
So, what can we do about that. I personally think that there are different layers:
- Technology: The applications as well as the Operating Systems have to do a better job explaining the end user what the consequences are if they click somewhere. I personally think that we did a biiiig step with Windows Vista and we have to collect information about this but there is still room for improvement
- Education: There needs to be a better offering of trainings around these problems. And these trainings should be targeted at all the different ages. E.g. retired people have a lot of time to surf and they are willing to learn. There are models where teenagers teach seniors and this works extremely well.
- Media: I tried several times to motivate the general press to support education efforts but there is no murder, no blood involved and no-one to blame (except for the criminals that could do something) - so there is no motivation for the press to go after this.
- License to Internet: There are discussions in different countries in EMEA whether it would make sense to have something like a "driver's license". This will never going to happen as we would come back to the free Internet but the idea is basically not too bad. Mainly because users being a victim of every social engineering attack out there are a risk not only to themselves but to the Internet as such (think about DDoS, Botnets using them as Spam relay...). Now, do not quote me that I said that we need this! But there is definitely so good stuff in this idea.
I am sure that the next generation will address a lot of these problems as my kids are growing up with the Internet and they are using it just naturally. The challenge will be to educate this generation how to do "Risk Assessments" from th beginning. And with that we are back to Universities and schools. The teachers have to teach them (besides Math, Langugage,...) tons of different themes and they do not know about these problem anyway and therefore they do not address them. So it might take even more than one generation...