As an industry, no matter how many defensive tools and tactics we use, attackers can still pwn our networks and organizations by tricking nontechnical people into committing simple security errors. To truly turn people into another line of defense, we need to adopt another mindset and a new set of tactics to help us all bring more people onto Team Security. The best security education entertains and approaches people on their own ground and doesn’t feel like work or a struggle with a completely foreign language.
More often than not, security practitioners tend to speak in highly specialized technical terms, which puts users at a complete and utter disadvantage. Part of working toward better security outcomes with a nontechnical crowd requires shunning industry jargon and metaphors (military terms, locks, safes, etc.) for more universal, approachable examples that don’t have an element of fear or threats behind them. It’s much simpler to convey the planning, forethought, and the proactive mindset required for security through nonthreatening, approachable metaphors than one might think, and this approach is more effective when building positive and empowering elements in education rather than focusing on problems, failure, and holes. Too much security advice out there is contradictory, and too many practitioners are quick to dismiss the few tools that end users can adopt to improve their security. This is particularly disempowering for nontechnical audiences because without the skills or knowledge to evaluate the information in front of them, they have no way to figure out what to trust or what advice to follow.
Fixing our education and awareness issues requires a diverse set of tactics. There’s no technological tool that can fix this problem: changing behavior requires investments in security education and a mindset focused on going beyond trying to use technology to solve our “security problem.” Jessy Irwin offers a crash-course in people, communication, and security education for anyone and everyone who wants to protect and convert nontechnical users into a helpful, engaged line of defense. If we tweak our attitudes, approaches, and terminology to be more people-centric, we can change the way we talk about security all together, leading to improvements in the big picture.
Jessy Irwin focuses on security awareness and end-user education for nontechnical audiences. Based in San Francisco, she is a prolific writer and outspoken advocate for stronger privacy and security protections for people everywhere.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org