Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security IT

Schneier: Security Awareness Training 'a Waste of Time' 284

Posted by Soulskill from the only-trust-users-to-be-users dept.
An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"
This discussion has been archived. No new comments can be posted.

Schneier: Security Awareness Training 'a Waste of Time' More

Schneier: Security Awareness Training 'a Waste of Time'

Comments Filter:

  • Re:Obligatory car analogy (Score:5, Interesting)

    by dinfinity ( 2300094 ) on Wednesday March 20, 2013 @07:24AM (#43222225)

    No. TFS is a terrible representation of TFA.

    This is a more fitting excerpt:

    The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones.

    Even though TFA is pretty crappy itself with its myriad of bad analogies, the idea of trying to craft effective simplified 'folksy' models makes sense. My favourite metaphor for internet security is regarding the internet as a square in a foreign city center. It gets the message of what to trust and what not across a lot better than trying to explain Javascript, cross-site scripting, or what an executable is.

    In addition to this approach to raising security awareness, a case is (sort of) made for designing systems to support users in security related decisions in a way consistent with the above. I'd say that a green colored address bar in a browser is an example of how to do it the right way and the blanket statement 'this file may harm your computer' one of how to do it the wrong way.

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Wednesday March 20, 2013 @08:22AM (#43222493)
    Comment removed based on user account deletion

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close