EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

1 empowerment for end-users

October 3rd, 2007 · No Comments ·

Recently we posted:

2 ENISA – awareness raising study – what it does not explain

3 ENISA – awareness raising study – better prevention thanks to data crunching

Windows Vista – security that requires end user attention is not security
Windows Vista does not make it easy for users to protect their systems. Changing the contexts in which risky behavior regarding surfing on the Internet or information security occur may be more successful than changing the way adolescents think about risk.
While empowerment is an important concept that will help, context aware training to raise awareness about information security is the key.

The concept of empowerment has become rather popular concept. In fact, it is ever more considered when designing and implementing campaigns that intend to raise user awareness about information security.While empowerment is a powerful and helpful concept, unless we define what we are talking about, many security experts will be puzzled.

Empowerment – what is it?(Please click on the above link, Login as guest – click on the link again and voila free access).
1 It is a multi-dimensional concept in that it occurs within sociological, psychological, economic, and other dimensions.
2 Empowerment also occurs at various levels, such as individual, group, and community.
3 Empowerment, by definition, is a social process, since it occurs in relationship to others.
4 Empowerment is a process that is similar to a path or journey, one that develops as we work through it.

So now we might ask, how does this relate to information security issues? Glad you asked. Awareness raising initiatives have focused on making end-users more knowledgeable about the risks they are taking when making certain decisions on how to use their information technology (e.g., opening a malware-infected e-mail attachment or visiting a suspicious website).

1 ENISA – awareness raising study – what it can tell us

This seemed a viable strategy considering the ever greater complexity for users trying to protect their privacy and PC from becoming part of a botnet. For instance, Windows Vista’s User Account Protection and how Vista deals with security in general is not easy for the user. In particular people are complaining about all the popups that Vista puts up when a change to the system is requested that may be harmful. Needless to say that security that requires end user attention is not security.

For most users, a major conern regarding patches (Please click on the link, Login as guest – click on this link again and voila free access) and bugs is the monthly update or patch Tuesday for Microsoft products. Somehow these have to be installed to help better protect the home PC against attacks. But what Microsoft does in the back with our PCs most of us have limited knowledge about:

Is Microsoft fiddling with system files without permission? Survey says ….

Hence, security with our PCs is getting more complex and worst is that most of us have no clue about what Microsoft and other software may do in the background when we surf the internet. Naturally, this cannot result in greater empowerment for the end-user but, in fact, reduces empowerment instead.
Additionally, research also indicates that adolescents risk taking is such that it impels them toward thrill seeking. In fact this suggests why educational interventions such as awareness raising initiatives designed to change adolescents’ knowledge, beliefs, or attitudes about information security have been largely ineffective. In fact, they will continue to be ineffective unless ….

These issues will be discussed in more detail applying the concept of empowerment at an upcoming session of the 6th International IT & Information Security Symposium, GOVCERT.NL (are you a master of your own identity). You can get more details about applying such research findings to empower users to better protect their information assets and privacy here:
1 – govcert.nl 2007 conference – user empowerment and information security

CONCLUSION

To empower end-users requires operating systems and technology that users can understand. Additionally, awareness raising initiatives in the area of information security must begin to take age into consideration and, as importantly, address risk taking in adolescence.

Unless we try to deal with these issues we will continue to have younger members of our information society that apparently fail to apply what they know when it comes to becoming victims of cybercrime, data security breaches and identity theft to mention a few examples.

We will follow up on this story.

SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.



|

→ No CommentsTags: beliefs · bugs · definitions · disclosure · paradigms · programmer · responsible · terms