The myth of user education

Stefan Görling Royal Institute of Technology, Stockholm

Many discussions in the security community often tend to end in agreement that the only way to really address many of our current problems is 'user education'. 'User education' has in many ways become the default way to address the fact that our security environment is becoming too complex for us to secure it using software or hardware appliances.

However, what remains to be discussed is whether 'user education' is a way to go forward or whether it is merely a term used to avoid admitting our failure to create a secure environment for our users/customers.

Is there any reason to expect that the users would be interested in educating themselves? Is there any research indicating that 'user education' actually helps?

This paper aims to provocatively discuss two questions. First: should we expect our users to be interested in education? After all, they pay us for taking care of this, so that they can go on with their real work. Second: do we have any evidence that 'user education' leads to a higher level of security? Do the users actually change their behaviour in a way that mitigates risks? Are the risks we are seeing today addressable by increasing awareness?


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.