Something I've blogged about many times is the fundamentally flawed model of relying on end users to secure their own computers. I'm a supporter of security awareness training but it's value is limited to those actions end users can realistically be expected to understand and perform on a regular, frequent basis.
Case in point. A recently released study by McAfee and NCSA clearly shows that home computer users awareness of computer security issues, a large number lack even the most basic security protection. The results speak for themselves.
Security is a Priority. A majority of Americans think they have the following security
software installed on their computer.
- 87% believe they have anti-virus software.
- 73% believe they have a firewall.
- 70% believe they have anti-spyware software.
Awareness of Online Threats. Americans also know about the many online dangers
- 99% have heard about of spyware.
- 75% have heard about phishing
More from the survey:
- Expired Anti-Virus Software. While 92% of Americans think that their anti-virus software is up to date, just 51% have current anti-virus software that has received an updated DAT file within the past week.
- Disabled Firewall. Even though 73% of Americans think they have a firewall installed, only 64% actually have it enabled.
- Less than half have anti-spyware protection. While 70% think they have anti-spyware software, barely half actually have it installed (55%).
- No Phishing Protection. More than twice as many Americans report having antiphishing software as actually have it installed (27% vs. 12%).
A Change Is Due
Anti-virus software has been in existence and in use for more than a decade, yet still we rely on a user experience model that requires the end user upgrade to a full subscription for trialware, and maintain an annual subscription for any updates. Annoying and confusing pop-ups with techno-babel interfere with end user productivity resulting in disabled AV, firewall and other security settings.
Do anti-spyware, firewalls, and web browsers need to go through a similar decade of failed use and poor security practices? My hopes for Microsoft OneCare were that Microsoft would make AV part of the email client once and for all and include updates along with other system and security updates. While that's a bit idealistic because of the revenue that would be left on the table, it likely is where this will all end in the future, albeit probably a distant future. But browsers for example need not experience the same fate. Build in better detection for cross-site scripting, anti-spyware countermeasures, and sandboxing code execution.
In the end, we must re-examine our assumptions about the end users role and experience with security software and settings, and develop more effective security software designs that limit reliance on end users to have the knowledge and patience to secure their own computers.