Security Basic Training

Education works better than shame at stopping viruses.

A couple of years ago, I wrote a column lamenting the idiocy of many computer users and how they continue to fall prey to viruses that are easily avoided with even a modicum of common sense. I wish I could say that things have changed for the better since then, but I cant.

In fact, even as I write this column, a computer virus is spreading. How? It gets users to open an attachment disguised as a Tetris game. How can people be so stupid? Never mind that the e-mail containing this attachment is either coming from someone the user doesnt know or from someone who would be highly unlikely to send the user a game through e-mail.

I had hoped that shaming users by pointing out their stupidity would get them to start taking common-sense steps to avoid viruses. Wishful thinking, I guess. Its not surprising, though: While I—and the entire security community, for that matter—have been working to get out this message, vendor marketing messages have basically served to reinforce and even encourage user confusion.

A good example is the recent AOL television spots that show average users saying that they want viruses and crashing computer systems. The ads intention is to promote the (claimed) security improvements in the new version of the AOL browser system. However, the underlying message seems to say, "We know youre stupid; we know you shouldnt be running anything more complex than a toaster. But dont worry, well take care of everything for you."

Ill never complain about any vendor adding security features to products, especially a company like AOL. But there is one major problem with this message and others like it: AOL cant take care of everything, and neither can Microsoft, Symantec, IBM or any other software vendor. There is no piece of software written, or likely to be written any time soon, that can stop users from doing foolish things.

So am I throwing up my hands and saying, "Were just going to have to live with the morons who spread viruses or maybe move them all to limited computers that make it hard to get viruses"?

Im not quite there yet—I think there is still a chance to teach users how to behave more responsibly.

One idea that really appeals to me was mentioned by my colleague Peter Coffee during a recent internal discussion here at eWEEK. Peter talked about the need to promote security awareness and preparedness directly to users—basically moving security preparation from the center to the perimeter.

Peter also spoke to how we have progressed to a "shredder society." As soon as he said this, I realized how right he was.

I cant think of the last time I went into someones home and didnt see some kind of shredder in a home office area. The all-too-real threat of identity theft has made many people remove evildoers most direct route to stolen identity—namely, thoughtlessly discarded mail. Interestingly, this awareness came from news articles and public discussions about identity theft and how to avoid it, not by way of vendors offering products that would "take care of everything."

There are plenty of examples of groundswells of public knowledge improving public security—just think about the campaigns to improve the safety of children.

Calling people stupid will only get said people to tune you out. And telling people that you will do everything for them only engenders passivity.

Instead, we need an education campaign that will teach people what they need to know and how to guard themselves against attacks. This will empower users and make them responsible for their own security and online safety.

So I ask everyone who covers security technology, especially those in the general press, to encourage this type of security education. And I especially think that major software vendors will benefit by marketing campaigns that teach security preparedness rather than by providing false levels of assurance.

eWEEK in the past has reported on companies that are taking a proactive security training stance. If your company is currently providing security training to users, Id love to hear about it.

And I promise Ill stop calling people who spread viruses idiots. At least for a little while, anyway.

Labs Director Jim Rapoza can be reached at


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.