When people talk about user education I have to ask if they’ve ever actually seen an educated user. Honestly, we talk about ‘user education’ like it actually exists, like the constant effort to get users to do even the simplest security oriented tasks ever pays off. When does it? When does user education ever work on someone who didn’t already want to learn? Frankly, as far as I can tell, never. You can get the person who’s already interested in computers to listen but that’s such a minority of the population it’s insignificant. A user who has no outside interest in computers actually following security advice is a unicorn – a myth.
There’s this mentality that computers are only as secure as their users. The sad thing is that, right now, this is actually the case. There exists no software implementation of a security model, for any operating system, that protects users from themselves.
The demand for advanced security keeps rising but there’s no one supplying. Instead the users get pushed to take more responsibility when it has been made abundantly clear for decades that they are not willing or capable of handling security decisions.
There’s a great paper done by Microsoft researchers about cost benefit analysis performed by users when given security advice. There are only perceived costs of avoiding negatives when it comes to security whereas there are immediate costs to being secure. As the paper puts it “Security advice simply offers a bad cost-benefit trade off to users.” [PDF]
The abundance of advice we lump into what for whatever reason is dubbed “common sense” is far too much for the vast majority of users to take in.
Users a decade ago were using the same passwords that we see today. The antivirus companies from the 80s are the leading antivirus companies today, and very little has changed. The user group model is still the basis of Windows and Linux security models and ASLR, a 10 year old mitigation technique, is still implemented in a weak manor outside of the PaX ASLR.
Despite the consistently growing demand for advanced security the industry hasn’t evolved in 30 years. The only thing that has changed is we blame users a lot more than ever and expect them to constantly keep up to date with the latest security advice that gets lumped into “common sense.”