Thursday, October 12, 2006

The pointlessness of user security training

Stefan Gorling, speaking at the Virus Bulletin Conference in Sweden this week, thinks that most user training on IT security is a waste of time.

From a CNET report on the conference:
"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.
On the one hand, Gorling does have a point. Filtering out email attachments containing malicious code is a far better approach than exhorting users not to click on attachments from unknown senders. Similarly, new browser technology to flag counterfeit websites is a more effective solution than trying to train users to discern a phishing attempt.

On the other hand, I don't think user security training is pointless. The primary focus, however, should be to educate and remind users of the organization's security policies, such as acceptable use of computing resources, such as use of e-mail, instant messaging, backup procedures, encryption, and wireless access.

By the way, at Computer Economics we've just launched a new online survey regarding IT security threat trends. The survey takes about 15 minutes, and if you respond we'll send you a free copy of the resulting report. Take the survey now.

No comments: