The endpoint security software industry lives in the time equivalent of the 1970/1980’s AMF Harley Davidson. In 1969, AMF (who made golf cards, bowling pin setters) bought Harley Davidson. They owned them until 1981 when they sold it back to a group of investors. I tell you all this because during that time HD quality went into the crapper. There’s an old joke that if you ever need a tool (like a wrench or screw driver), just ask a Harley rider – they always carry tools on them. It's true - I had it happen on my way back from Sturgis a few yeas back. In order to ride one of those AMF HDs, you had to be a mechanic. Anyone else would just to say heck with it and buy a Japanese bike.
So lets talk bout endpoint security software. 1.) It knows relatively little about what the user is doing or the context they are doing it in. 2.) The default mode is to “inform” the user of security problems, risks, attacks, vulnerabilities. Even worse, security monitors like the Windows Security Center icon warns if your hard disk needs backing up. (That’s a security risk?) Just like those AMF Harley riders that weren’t mechanics, the average computer user has NO CLUE what most if not all of these firewall, AV, Windows balloons, etc., mean. To use another analog, it’s the equivalent of Chevy asking us to operate our vehicles by reading and adjusting timing, fuel mixture, spark using a HyperTech Programmer just to use our car or truck.
What the current model overlooks is matching the fidelity of the software to the users knowledge, abilities, and the user perceived relevance to their use of a computer. There’s currently a chasm between what security products communicates, and what most users can actual understand; why they even got the message, in general what the message is about, the actual meaning of the message, understand the question being asked (when they are given a choice), and why they should care (in terms they would understand). It would be like asking us to use that HyperTech computer just to drive our car down the street to get milk at the grocery store. When you add multiple repetitions of this happening, the user sees these actions as an annoyance, at a minimum, and a barrier to their productivity.
So let’s tie in user education. Remember the general rule of training is that most attendees of training retain less than 20% of the training 24 hours to 7 days after the training. I believe there are two keys to training. First you must have training built at the level the audience can understand. If the user’s skill level is logging on, using Word, Excel, Outlook and printing, then explaining to them any of even the most basics of who things like phishing emails, aliased URLs, etc., work is beyond their skill level. The 2nd most important thing about training is that the user must perform the actions and knowledge learned almost daily to retain any of the training. Because of this, it’s my believe that most end user training is pretty much useless if it ventures much beyond password security, locking you computer with a screen saver, etc., and overall awareness training.
Lastly, I have an axiom about end users and security. End users configure their computer for convenience, not security. Given a choice, specially when security seems “Greek” to the end user, they will always choose convenience. I’ll say more about this at another time if needed.
I have a lot more to say, especially on how to make security more automatic but I’ll stop here and let Andy or others jump in with rebuttals, etc.