Jakob Nielsen's Alertbox, October 25, 2004:

User Education Is Not the Answer to Security Problems

Summary:
Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this.

Computer users suffer myriad security problems, including:

viruses and worms,
"Nigerian" scams (email asking you to help smuggle out a supposedly large sum of ill-gotten gains),
phishing (falsified email, purportedly from a known vendor's customer service department, asking you to go to a masquerading website and enter your account information), and
spyware and adware that install software on your computer without your informed consent (although some operations might claim to have consent, most people don't know what they're agreeing to when they click "OK?" buttons on the Web; for true consent, users must know that software will be installed and want the adware feature activated).

Whenever the press covers a new outrage, you'll surely see quotes from security experts lamenting users' stupidity and advising companies to better educate users about appropriate security precautions.

However, user education should not be the main approach to countering security problems for three reasons.

First, and most importantly, it doesn't work. Computer security is too complicated and the bad guys are too devious and inventive. It’s simply unrealistic to assume that average users can keep up with them. Yes, you can tell people not to click on attachments in email from strangers, but then attackers start sending email that apparently comes from your boss, your wife, or your best friends. In a modern office, you can't do your work without clicking on attachments.

Second, user education puts the burden on the wrong shoulders. It's like the old Wild West, where the answer to crime was that every man carried a gun. In civilized society, we've abandoned this approach in favor of a professional police force to deal with criminals. When there is a mismatch between technology and people, the answer should not be to change the humans. The answer should be to change the computers. Computers and the Internet were both developed under the assumptions that everyone was trustworthy and there would never be any crime. That's obviously no longer true, and we need to rearchitect the technology accordingly. Even the Old West eventually transitioned to laws, courts, police, and jails.

Third, as long as we keep the burden on users rather than fix the technology, we'll never realize the Internet's full benefits. Instead, we'll alarm users and make them ever more reluctant to use the technology to its full potential. In usability studies, we're already seeing that people are getting very reluctant to give out their email addresses. This is even true with legitimate e-commerce sites that would not spam them, making it harder to send customers useful newsletters and confirmation messages.

The Web feels like the seedy part of town. People are under siege from a constant stream of attacks and unpleasant intrusions. We can't continue to let users feel scared and intimidated. We can't continue to deprive them of protection.

The "Lock Your Car" Analogy

A common counter-argument to my position is that it's reasonable to require users to take responsibility for their own security. It's like expecting people to lock their cars when they park them.

The analogy doesn't hold, however, because of the differences between the physical and virtual worlds. In the real world, burglars have limited reach and the average household need only protect itself against average burglars. We need not make our houses and cars so secure that they can resist an attempt by the KGB's most experienced break-in team. Only places like the CIA need to secure their facilities against sustained efforts by the world's best bad guys. To do so, they employ hordes of security experts.

The virtual world magnifies the reach of the nasty guys. A single cracker who discovers a security hole can attack billions of users. Every single netizen therefore needs protection against all the world's computer criminals, not just the neighborhood hacker.

Users will certainly become more informed about flourishing Internet scams, just as most of us are generally aware of auto thefts and home break-ins. As we found in our study of how children use the Web, kids are highly aware of the dangers of giving out personal information or downloading software. And it doesn't hurt to remind people not to give out their passwords. It's good for financial websites to post clear policies stating that they'll never email customers asking for password information. Such steps are necessary, but simply insufficient.

Similarly, we can't expect system administrators to keep their servers updated with all the latest security patches. For one thing, many companies don't have professional system administrators. In small companies, the owner or office manager is often in charge of the computers. Even mid-sized companies might not have available security expertise because each of their resident geeks is burdened with projects that would typically require a big IT department's entire team.

Solution: Rearchitect Security

The only real solution is to make security a built-in feature of all computing elements. Yes, it's time to discard the assumptions that computers are only used by noble-minded academics, that the only valuable information stored on the system is drafts of research papers, and that the only other people on the network are university colleagues.

Instead, we need to take several specific steps:

Encrypt all information at all times, except when it's displayed on the screen. In particular, never send plaintext email or other information across the Internet: anything that leaves your machine should be encrypted.
Digitally sign all information to prevent tampering and develop a simple way to inform users whether something is from a trusted source. This might, say, replace current stupid security warnings that people don't understand because they expose the guts of the technology. ("The security certificate has expired or is not yet valid." Aha. And what does that mean to a normal person?)
Turn on all security settings by default since most people don't mess with defaults. Then, make it easy to modify settings so that users can get trusted things done without having to open a wide hole for everybody.
Automate all updates. Most virus software downloads new virus definitions in the background, which is a good first step. The automated patching introduced with Windows XP's SP2 is also an improvement.
Polish security features' usability to a level far beyond anything we've seen so far. Security is inherently complicated, and it's something users don't care about (until it's too late). The user interface requires the ultimate in simplicity. Heavy user testing and detailed field research are a must.

There are several other needed steps as well, including non-usability issues such as reducing the number of software bugs.

Finally, society must take a more proactive approach to criminalizing and hunting down spammers, phishers, virus writers, eBay fraudsters, and others who violate users' rights. We need big-time FBI task forces dedicated to these problems because their impact on the economy and on citizens' well-being is now greater than many old-fashioned crimes that absorb law-enforcement resources.

Approaching security systemically is a big project, but it's the only realistic way to ensure safe computing and make people feel good about the Web.

> Other Alertbox columns (complete list)
> Sign up for newsletter that will notify you of new Alertboxes