Stefan Görling Royal Institute of Technology, Stockholm
Many discussions in the security community often tend to end in agreement that the only way to really address many of our current problems is 'user education'. 'User education' has in many ways become the default way to address the fact that our security environment is becoming too complex for us to secure it using software or hardware appliances.
However, what remains to be discussed is whether 'user education' is a way to go forward or whether it is merely a term used to avoid admitting our failure to create a secure environment for our users/customers.
Is there any reason to expect that the users would be interested in educating themselves? Is there any research indicating that 'user education' actually helps?
This paper aims to provocatively discuss two questions. First: should we expect our users to be interested in education? After all, they pay us for taking care of this, so that they can go on with their real work. Second: do we have any evidence that 'user education' leads to a higher level of security? Do the users actually change their behaviour in a way that mitigates risks? Are the risks we are seeing today addressable by increasing awareness?