Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.
First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.
Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.
Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.
There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.