Yesterday I wrote a bit about
this story. I also came across a comment by
Bruce Schneier about the same story. I find Bruce to be a very wise person (which is part of the reason I view his blog once a week or so). He says in his comment about the story
But concluding that employees don't care about security is a bit naive. Employees care about security; they just don't understand it.
Then he says
Education is one way to deal with this, but education has its limitations.
This goes against my comment from
yesterday. I said
Anyone who has ever worked as a sysadmin knows that the users are often the biggest security risk. User behavior is a lot like how water runs down a hill. The water will follow the path of least resistance.
I'm beginning to think the real issue here is we really have no idea how to describe computer security and the normal person, which in turn makes it hard to imagine how non geeks perceive computer security.
As a geek there are various things I take for granted. I know my bank isn't going to shut off my account, I know Bill Gates isn't going to send me to Disney World for replying to an email. I know those "update things" really do need to be installed.
I can't help but think that trying to compare a normal person using a computer to a car, or a furnace is a flawed analogy. Your car is never going to try to trick you into giving it your credit card number. My furnace has never offered to send me on a trip. It is possible for a person conducting some sort of service on a car or appliance to attempt to be dishonest, but one usually seeks out the service, it doesn't come to you. There is also the problem of normal people can justify spending a couple hundred dollars to fix a car or applicance that costed a magnitude more than the price to fix it. If a normal person hired a consultant to fix their computer, they would likely pay three or four times more than they paid for the computer.
I can't think of a single analogy that can properly describe computer security. There are few things that weild so much power as an internet connected computer, that is completely baffling to 90% of the people who use them, and can cause so much damage if used carelessly.
Perhaps if we approach our analogy from a very different angle:
A Government. If you leave it to its own devices, you're going to end up with a broken system out to take all your money and give you nothing back in return. A good government though must be watched closely by the people, and it's known that the more involved the population is, the better the government functions. This would be a great time to shamelessly plug open source, but I'm not going to. I'm still not sure this analogy is correct apart from my very shallow observation.
It could very well be there is no analogy that can describe computer security and the normal person. I can't say I can really think of an analogy that could desribe the usage of a car. Maybe the best analogy to describe security and the normal person, is
Security and the Normal Person.
