Discussion on:

Inside your users' brains: Where they get security advice

To tell a story - in keeping with the research findings - one of our intelligent, but non-computerish clients phoned to ask how to respond to the message 'jusched would like to make changes to your computer', or words to that effect. Now we know that's Java asking to check for updates, and it's fine, but how on earth was she supposed to know that? Having drummed into her the need to pay attention to messages, where and how would a 'lay' user find out what it meant, if she couldn't phone us free of charge? She even had the healthy thought that if it was a nasty, she might get into more trouble if she started Googling.

The lesson (see above) is that so long as many of the messages and explanations our poor users see on their computers, conversations with experts and discussions on techy websites and are couched in language they do not understand, and they do not have access/time/motivation/money to learn enough to understand, they will seek help from someone or something who explains things in straightforward language, like that warning about Facebook. Isn't that part of the reason spoof antivirus programs succeed?

I could not agree with you more. If you noticed the research paper was readable in a way that is uncommon for academic papers. I mentioned that to Emilee and she said that was on purpose.

While reading this story that is the first thought that came into my mind. That the messages that do pop up are ones designed for people in the know. Some messages have softened the language a little and made them more people friendly however there still seems to be a large disconnect. Some have worked too well, when I've told someone yes you can ignore that SSL warning because your going to a site we control that is using a self-signed cert, they are afraid to proceed because of the scary warning.
It sounds like we need to get better in user education through various methods, application messages, stories, classes, training, etc. I'm thinking layers of communication. I think it would also help if some standards were used in messaging at least with common items, such as SSL, Logins, SPAM, etc.

The statistic that impressed me was the 95 percent who believed the story to be true. Im betting most IT experts would like to have that percentage of users believing what they say.

That is how I try to advise all clients about Security by telling them a story directly related to what work they do. They seem to understand it better that way, so if they are a Surgeon the story is set in their everyday Work Environment or if they are a Earthmover I tailor the story to something that they can understand. I find I get fewer calls with questions about what they should do when they get something different appearing on their screen and they hopefully learn something along the way.

Of course the tricky bit is knowing what they do each and every day and understanding what their work actually is.

Col

As someone who travels all around this great country visiting Computer Clubs and other clubs where the common factor is computer usage, I know from first hand experience that a majority of our Seniors lack computer education.
It is my job to explain, in simple language, computer security to the members of these various clubs.
Simple language and a willingness to take the time to explain the importance of cyber security has always been greeted with a warm thanks and usually the comments of "Gee, I didn't know that." or, "No one ever really explained it that way."

I also would like to thank you for going the extra mile. I'm betting you get a whole lot of smiles in your travels.

The statistic that impressed me was the 95 percent who believed the story to be true. Im betting most IT experts would like to have that percentage of users believing what they say.

Believe? My users ask me what to do in a given context and I tell them. It's not a question of belief, more a simple case of an ability (or otherwise) to follow instructions.

Also, this confused the hell out of me :

You never tell anyone one what to do. You tell them what may or may not have worked for you. Sound familiar?

I don't quite understand the point here, my job involves almost exclusively telling people what to do, there's very little point implementing a system and then being vague about how it works or going all allegorical on their asses.

I get that in a wider context security education is a difficult thing to achieve, and appreciate the research from a consumer perspective, but in business users should do what they're told, it's work, that thing the company needs them to do in order to make a profit. The trick is to make sure you can catch it if they do it wrong then tell them again (in a security context that's blocking malicious websites and emails and a decent virus strategy), I can't see any mileage in this approach to educating business users about processes excepting what they learn from each other, making the whole point of the article moot, surely?

The article was focused on home and users that do not have IT-experts at their beck and call. That said, I've been in "The biz" for 35 years and I find ordering people about has more negative impact than explaining why they need to do or not do something. I believe there is more "buy-in" that way.

How would you prefer it done to you?

I worked in a non-profit organization that was very business like, and I didn't tell anyone what to do. I pretty much told them what the requirements were, and in a way not too much different that what is related in this article. Our CIO backed us up on this; and if the clients didn't listen - they got fired. But then we had classes on HIPAA and other security requirements, so it wasn't like they didn't know that this was important.

I started out teaching myself computers and how to approach things, so I try and give people an option of either a little bit of advice, a link, or just a little tool to get things fixed. Sometimes the tips I have sent out have helped people, since they have printed them out. The best help yourself tool so far is the USB drive portableapps utility, that allows you to look up things yourself. Or, just let them call me. The goal of course is to provide resources for people, and so far this has worked with people I have worked with, especially with thise who want to be able to fix their own issues.

is most of my users have more awareness of the problems than they let on. They therefor knowingly do not follow the right practices they know they should. I'd chalk that up to the 'it happens to other people, not to me' invincibility complex.

I base this on the assumption that when the task at hand is a survey of what one knows, one is more likely to want to prove they do know something about whatever the subject of the survey.

So that 95% knows, but doesn't apply that knowledge to the same degree, probably for numerous reasons. "[doing the right thing] is too much work" is the excuse I hear most often for obviously inappropriate actions. (eg globally disabling noscript)

I work in the security field, one of the problems I've faced with stories is that pervasive attitude that everything happens to someone else, it will never happen to me. I have a network analyst that I have referred dozens of stories about attacks and breaches that are happening in neighboring communities and he believes through and through that it will not happen to our network, they must be doing something wrong. It's magical thinking, like people that drive after drinking, because it doens't affect them the same way it affects others.

When I was teaching, I found the "non-traditional-age" students both challenging and usually quite rewarding. They were great to call on when I made a reference the "traditional-age" students wouldn't recognize.

One idea I hit on repeatedly for them is that some of the "ways things are done" were selected arbitrarily--sometimes out of thin air, it seems--and not to feel inadequate because they can't "figure it out." No matter how logical they are and how hard they try, it isn't going to happen.

Among the important skills is using the search methods to chase these "way things are done." However, the vocabulary can be arbitrary and frustrating, so there's another stumbling block. Who decided it was going to be "records" and "fields" and "files"? "Records"--that's LPs and 45s and how we listened to Elvis before he went into the Army. "Fields"--Ooh! Ooh! I know that one! That has something to do with growing corn and soybeans. "Files" are how you sharpen a hoe. I used to tell them one of my major functions in life was teaching them to translate Nerd into Hillbilly. More than once I said to a student, "I'm sorry, I can't make that one make sense to you--or me. We just have to live with it." And they accepted that.

Convincing these people to give themselves a break is tremendously important. This is incredibly new to them. Teach them to be patient with themselves.

I have experienced the same thing, particularly with people to whom English is a second language. That piles on even more to work through. But the reward is well worth it.

I remember one class in which the instructors talked about "spawning" a task. One student (Chinese?) couldn't understand that, until another student said it was like a fish spawning. That got the point across to the student, but the instructor also had one of those "AHA" moments - so THAT'S where "spawn" came from!

- Jim Garrity

Thanks for sharing that moment. Language is one fascinating subject.

Files and records have been around since long before the computer. Think personnel or financial records stored in a filing cabinet. Records, as applied to LPs and 45s, is shorthand for recordings.

As for who decided, who knows? I want to say Adm. Grace Hopper, but I would probably be wrong.

It's something one doesn't really think about until presented with the situation. I have a new friend and English is not her first language. It's real easy to see the frustration when multiple meanings are involved.

The situation we hit once in a while is a person whose background is quite different. Think of a farmer who had a heart attack in his 50s and is working toward a career within his capabilities, a truck driver who had a bad wreck, or an assembly line worker with a back injury. One of them didn't get a high school diploma, but got a GED in the service. None has been in a school environment in twenty-plus years.

Possibly getting a little farther afield from "where do they get their security advice?" throw into the mix that a few of the farmers, truck drivers, and others who weren't dealing with the public on a daily basis still have attitudes toward women and minorities left over from the 60s. Now give me an intelligent and articulate 24 year-old female Japanese-American lab assistant who has lived in the Midwest all her life, speaks with an Ozarks accent, and can do ANYTHING. Oh, and she looks 17 and is cute as...she's very attractive.

Or take it to business/industry and make her one of the techs who goes to the user who can't login because the password must have upper and lower case letters, numbers, and punctuation marks, but can't use dictionary words or $^&*. Sometimes these trouble tickets are handled with, "Uh, maybe we better let Jim take care of that one."

Older students with "traditional" attitudes toward women and minorities and a young, mixed-race, highly-competent, and attractive lab assistant.

Which gives them more fits? The "female" part? Or the "Asian" part? I'll bet she's been addressed as "Honey", "Sugar", or "Sweetie" more times than she cares to think about.

It's not just Java- I'm sick and tired of the number of patches released for Java and Adobe stuff. Our kind-of-base build software is Java, every free Adobe product under the sun and quicktime. Quicktime's not so bad because it isn't patched too often. The other 2, however, are a nightmare. People need them because bits of the web stop working if they're not up to date (fair enough), but no sooner have we downloaded the latest version than another version is released. This is at least 6 bits of software! WSUS won't patch them, so we just have to re-download them and prep for distribution on the LAN and wait 'till next week. In that intervening week, we'll spend time trying to figure out in what novel way they've got an auto-update feature switched on to annoy hundreds of people with exactly this kid of "update me know!" pop-up.

@doke... what puzzles me is the inherent trust people place in IT as if it's- as you said- magic, and completely utopian. "I've just put all my bank details into a web site I got sent via email". Would you really do this if someone just knocked on your door and asked for those details? So why do it for a random email? We've also had attachments sent outside the business that shouldn't have been- again, presumably they would (hopefully) never send this data out on a postcard so why do it in email? I suppose a lot of people don't realise that most of the internet is inherently insecure and therefore the data is freely available in "postcard" format with basic tools like WireShark (which is great for tinkering).

All the classics are tales of woe to instruct others to avoid.
The best stories have withstood millennium of oral translation.
What we need now is a way to get people away from modern media and back to learning from cautionary tales.

I find that the worst cases of virus/malware problems come from bad habits.
Entirely controllable computer use that is just a bad decision that the user should have avoided by matter of course even without specialized education.

I ask two questions, would you give a person on the street you asked for directions all your personal information and would you give a street vendor your buying pirated CD's from your credit card.
never mind porn sites... /sigh

Joe and Jane User may hear stories, but all they may recall are:

"He used some software to fix the computer."
or
"He had to throw his computer away and buy a new one."

This is due to the lack of understanding what really happened. For example, when a person, with no knowledge or interest in cars other as a way to get to work, takes it to the mechanic because of a noise, what do they remember? The cost of the repair and that it was, "something electrical" or "the transmission". Regardless of the real cause (bad alternator pulley bearing and worn solenoid could be the problems).

It has nothing to do with the person's ability to learn, or their intelligence. It's simply information they cannot grasp.

So, "I had a virus, but my antivirus software caught it and fixed it for me," becomes, "He ran some software." This person is then easily snared by a FakeAV attack because it's "software for viruses".

I believe that there will always be a large segment of users who are unable to adequately understand the threats out there, or how to deal with them. Instead, it's unfortunately a burden that must be borne by the software and OS developers.

Sorry, it was just too tempting. I held out as long as I could.

Of course users have brains. The attitude of 'you don't understand or are not interested in computers and therefore you have no brain' needs to go, completely. It's arrogant and unproductive. Some of our less computer-knowledgeable clients are surgeons, senior engineers, authors, financial wizards and architects. I know a lot less about their subjects than they do about ours.

If that were to happen, I think we all would play nicer together.

not a serious comment. I regularly tell those I support that I just have a different skill set, one that wouldn't help me much if we had to change places.

By definition, we all are users -- aren't we?

I haven't seen a service or occupation yet where the practitioners didn't express a degree of contempt, real or feigned or even affectionate, for the customers. Ask any auto mechanic or LPN.

But, as my wise grandfather used to say, without them we wouldn't have a job.

"..if it weren't for all the people." The mechanic that worked on the company aircraft used to mumble that line when particularly frustrated.

He was full of 'em. He's the one who introduced me to the "[turd] sandwich" concept of employment.

He would be in trouble if everyone knew as much as he did about airplanes.

"Teaching would be a great job...if it weren't for the students."

That you were a great teacher and your comment was a jest on your part.

I knew the stuff, and could pass along, but nothing I did to make it interesting seemed to get the students motivated. I gave it up as bad for my mental health.

and the men that do it; but if I were a passenger on a flight that revealed what THAT A&P mechanic thought about people on board, I might select to go ground route.

Dont' get me wrong - I got a brother that knows it is a fly or die world, and he is so anal about his work, he would probably commit Seppuku rather than face failure of technical proficiency ! He'd be mad as hell at failure, because he is so into accuracy and job proficency, that he would be just as dissapointed at not catching mechanical failure as losing precious lives. Also don't get me wrong that he, or I for that matter, consider our job history as more important than people's lives - we are as proud of our good work, as if we flew in the aircraft our selves.

To many of our friends are helicopter and weather modification pilots, and we consider their lives irreplaceable, just as we do ourselves. I just want to emphasis that there are still those who's work ethic is at Mt. Everest level, not at AFL CIO union level!!

You're right, people may measure their skills, success or whatever against themselves, some standards, or what other people accomplish, and may lose sight of the reason for being in the process.

The good news, I suppose, is this A&P ended up being an inspector for the FAA. Thought we didn't relish seeing them coming, in the long run you do want a hard-a$$ wearing that hat.

BTW he tried hard to get me to join the agency, too. I ran a perfect general aviation op (I mean perfect, I have a funny story about an inspection..) and he knew literally nobody else did, and wanted me to crack heads. (I'd know where the skeletons are buried)

I've left an inspection story somewhere on TechRepublic; I'd be interested in yours as well!

I was chief pilot/director of ops of a corporate flight department. I wrote the whole op, including the maintenance schedules. (yet another wild story, I grounded the dept and insisted my predecessor was doing it wrong... imagine a "new hire" immediately shutting down the op)

We had a 'whole house' inspection one day, a fellow not known to be prone to vindictiveness, but a serious hard ass nonetheless.

To get to the point, when he was done ripping every detail apart he could find nothing wrong. He outright admitted that regardless, he had to find something to fault us on, something about justifying his job.

So here's what he came up with...

One aircraft had Pratt and Whitney PT6-11 power plants, which are also used in marine applications. There was a service bulletin out for the marine-only applications, in fact it involved parts that don't even exist on the airplane version. The directive clearly stated not only that it applied only to marine systems, it mentioned, for clarity, tat it was definitely NOT applicable to the Cheyenne I (the only plane to be cursed with these down rated sulfur gathering beasts)

Well, there's a bulletin, and it mentions PT6-11... the FAA fellow asked me where the log book entry was for this not-an-AD. Um... we don't need one.

He insisted, and wrote me up for it. He said he's be back in a few weeks to see we'd "straightened out this situation."

We were in western New York, our Cheyenne maint was handled by a specialist firm in Groton Connecticut. I called and explained the deal, and they couldn't stop laughing. We arranged to mail the logs, they make the entry and mail back.

In the end it said something very close to "P&W service bulletin XXXX is not applicable to aircraft installations."

I think the shop was impressed with the outcome of my 'grilling,' but they were relentless about this, every chance they could a joke would slide out referencing putting whatever in the logs. eg I'd come back from lunch (waiting for some minor day maintenance) and someone would grab a log book and pen, and ask me what I had for lunch, pretending to be writing it down.

I'm glad I bailed when I did. I can't imagine what I would do to some lowbrow with blue gloves trying to grope my executives before they get on their own damn plane. (They are starting to show up at general aviation)

When we dissolved out department I had a few job offers to fly Gulfstreams. They all entailed being on the road far more than being home, and I had young boys at the time.

But one of the things that turned me off was they all also showed me the handguns secretly stashed in the cockpit and elsewhere, and told me I'd have to be proficient (and fast) with them, because in a lot of their remote destinations you deal in huge wads of US money.

I'd say a non-sworn "officer" with a 85 IQ and blue rubber gloves groping my passengers and bossing me around would warrant a measure of lead in their a$$... I'd be soooo tempted. .

.but deliver us from evil.