Wednesday, May 02, 2007

the effectiveness of user education

amrit williams has a post up about how ineffective user education is... if you've read this blog for a while you probably know how i feel about user education already but i guess there's more to say than to just point to anecdotal evidence of it working in real life (amrit does that himself with the example of his mother)...

so which is it? technological 'solutions' or user education, nature or nurture, particle or wave, fate or chance - to paraphrase forrest gump, it's a bit of both...

amrit is right that user education isn't going to make things secure, but let's look at that again - nothing is going to make things secure, not user education, not technological controls, not even a combination of the two... security isn't a boolean property, it's a gradient, talking about making things 'secure' is pure sophistry as we should be talking about making things more secure than they are right now... don't let the great be the enemy of the good; since perfection is impossible anyways one must settle for simply making things better...

in that vein user education has a rather well defined place... security requires intelligent, context-sensitive decision making that just can't be hard-coded into the system... i understand and appreciate that people are hard to control and generally unreliable... i understand why security folks would want to ignore the user problem since they're trying to build reliable security... unfortunately, whether we like it or not, users are a part of the system and they're always going to be a part of the system - technology cannot be an island unto itself, technological controls are just tools and users need to know how to use those tools properly or the tools themselves will be ineffective (just as knowledge without good tools is also ineffective)...

neither user education nor technological controls can reach their full potential on their own, they need each other if we're to get the most out of our attempts to make things more secure - and unreliable though that might be, it's better than relying on either individually...

1 comments:

Unknown said...

very well put, sir! :)