In 2008, Randy Abrams and I wrote a paper for the AVAR conference in Delhi on People Patching: Is User Education Any Use at All? The paper is available from the ESET WeLiveSecurity site here.
And here’s the abstract:
In general, the anti-malware community splits dramatically into two camps when it comes to the evergreen debate about the effectiveness of user education and security awareness asa protective measure. One camp argues that “if education was of any use, it would have worked by now”: the other, that “education is key” and “you can’t fix social problems with technological solutions”.
Is the answer out there in No Man’s Land? We don’t believe that there is a 100% solution that will “fix” internet lawlessness, let alone human nature (if there is, it probably isn’t education). We do, however, believe, based on our own observations and experience with very large user populations, that properly targeted and implemented education and training, supplemented by other non-technological approaches such as sound policy enforcement, can play a vital part in a multi-layered defensive strategy.
In this paper we will therefore consider (1) the arguments for and against devoting resources to education, training and security awareness (2) approaches to integrating social, less-technological approaches to security into a formal defensive framework (3) user-friendly approaches to teaching computer hygiene to audiences with very mixed experience and technical knowledge.
While we will, mindful of our own experience and the focus of the conference, be addressing the role of education in malware management in particular, we believe the general principles we’ll be discussing are applicable across the whole range of computer security.
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow