That is quite a harsh statement, and also mostly untrue.
From an experts perspective it sounds true. How can a person click on a link that is so obviously a scam? Or how can a person say yes to installing an ActiveX control?
Although those statements are technically correct, in real life you are missing the point. The average user out there does not know what a scam is or even what ActiveX is. For them it is either something unknown or something that does not work and should be fixed.
If you buy a car, nobody expects you to be able to write an exam to explain the physics and chemistry behind the internal combustion engine. The only expectation is a drivers license, insurance and some basic knowledge on what to do with the gasoline.
Why do we expect the average user to be able to write an exam on the internal workings of a computer and its software if we do not expect that of a motorist? A vehicle is a very dangerous machine that can potentially kill people. At this moment in time most computers are not that dangerous.
So why do we expect more from a computer operator than we expect from a vehicle operator?
I think computers in general, and security software specifically is just hopelessly to technical and abstract for the average person to understand and associate with.
Let us look at two scenarios:
1. If the average person walks around in an unknown city and are suddenly confronted in a dark alleyway by a masked man they will at least be concerned and frightened.
2. If the average user receives an email purportedly from the local tax authority stating that you need to run the attached application to prevent tax problems they will trust the email and happily execute the malware.
Why does the average user not see that these situations are synonymous?
Let us take email as an example.
The average user just does not understand that receiving an email is similar to talking to a person but with a few significant differences. When you talk to a person you can see him, hear him and verify his identity using visual and/or auditory cues. There is a significant amount of redundant information in any physical conversation that allows you to make assumptions and associations that allows you to fully comprehend the situation.
In email you mostly do not have a lot of information. In general email is totally untrustworthy. There are no guarantees that the person the email claims to have written the email is actually the person that wrote it. Email also does not contain any of the redundant information that a physical conversation contains. This leaves you with very little information to base any decisions on.
There are some technology that can improve the trustworthiness of email, but not enough people use it, and again it is too abstract and technically complex for the average user to use.
I think the real solution to security is to get computer applications and protocols to be something that people can associate with. People should be able to make the same assumptions from the information received/processed on a computer than they would if they had done it themselves.
Or to state it in a simpler way: Computers need to become more human, humans should not become more like computers.
Hi Robert, very interesting post, and I do agree with your opinion. The average computer user does heavily rely on the computer savvy to make sure they are protected and what they receive is legitimate and safe. I do think they have some degree of freedom to think so. On the other hand I also think that unless the average user takes computer security seriously there is nothing much that the security professionals can do to protect them. I had posted a blog entry about this subject on my personal blog, if you are interested please check out: http://fightmalware.blogspot.com/2007/10/average-computer-user-and-computer.html
But as computers and technology advance, so does the generation, and when the less computer (and security) conscious generation passes away, there are better days ahead for computers (and security)!
I agree wholeheartedly with you, Robert. It seems that users of everything now, whether it be automobiles, health care plans, or computers, tend to get blamed too often when problems occur. And if he wants to set things right, the user has to acquire part of the knowledge of the “insiders.”
It’s a sad state, isn”t it?
Regards,
RS