User education is a hot topic in information security. Through education we can empower our users to protect information in a environment that’s frequently challenging and where natural assumptions about behaviour don’t always hold true.
I wonder though if it’s possible to take this too far. Not all responsibility for the insecurity of systems, even when users take an active role in their configuration, can be placed with the users. As the designers, builders and architects of technologies we must also take some of the blame for manufacturing the unsafe tools and materials that we provide to the public.
Case in point, a recent report by Ofcom concluded that “The majority of people who use WiFi outside the home are not concerned about how secure it is”.
We provide users with a technology that provides quick, convenient access to large amounts of connectivity, make that technology completely ubiquitous, and whilst they clearly have responsibility to their own security, is it also fair to blame users for not understanding why we failed to make it’s operation secure?
Technologies like eduroam are the antithesis to this. There’s a small investment of effort in the user’s initial configuration, but the payoff being offered isn’t an intangible improvement in security but the reward of being ability to seamlessly access wifi connectivity across the campus, country and the globe (and as a side effect it’s more secure).
If you are developing a new system, think about how you’ll encourage the right sorts of user behaviour. Safe, easy to use defaults are a good starting point.