Frequently, it really is ignorance, but not wilful ignorance. Compare it to smoking. It's been very widely reported that smoking is bad for you. Smokers aren't ignorant of that, but they smoke anyway. But let's make smoking more like the world of online risk: Suppose some cigarettes are actually beneficial or necessary. Suppose also that the good and the bad cigarettes look and feel pretty much the same to most people, and there are no warning labels on the bad ones. Suppose even further that many people have ignorant friends and relatives who spread misinformation about what's risky and what's not.
Those who have trouble distinguishing the risky from the non-risky aren't being wilfully ignorant.
Another effect that's not wilful ignorance is the perceived probability. If a supposedly risky act is easy to take and there are no visible consequences (this time), it's easy to think it wasn't so risky after all.
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Wilful Ignorance?
Given that ignorance is defined as the lack of knowledge, it is unlikely that anyone can be wilfully ignorant. The real question which the artickle does not nswer is whether those surveyed 1) knew they were not supposed to divulge these details but did it anyway
2) whether or not the companies in which they work have computer security education and security policies. Prhaps the term that renman should have used is were they ignorant or did they wilfully disregard what they knew. The problem renman misses here is that if the researchers had been criminals, the impact is not only on the individuals that give away confidential information, but that in so doing they jeopardize the rest of us as their computers turn into spambots, their money gets stolen causing bank profits to drop until the banks raise rates to compendate. As the article says, unless these people are troglodytes, they have to have heard about security, and they must be pushed to practice good security. Ignorance is only an excuse the first time, and I rather doubt that at least most of them just went for the candy bar...that's not ignorance, that is stupidity.
security is up to someone else
True, there is a steady input of security-related information. But employees also get a steady stream of information from their managers and the media reinforcing the idea that individual employees and jobs really are of no value to the company. And if the employee has so little value, how valuable can the data and systems they work with be? All that security training must be meant for someone else.
Someone else - maybe
I think you hit one problem and it may be one of the worst in security. Security, as so many other aspects in IT, is today seen as a "specialist" job which doesn't count anyone else - until something bad happens?
I remember teaching the first security framework in a big company long ago. It was supposed to be basically to a limited audience. Once the word spread, I had to have three more courses, people from all organizations and departments did want to learn about security, what and how it would work for them. I don't see that happening today, as I said, employees are told to execute something, not to learn about it, and it creates a "not my problem" culture very fast.
At least I have found that sharing information and getting people interested is always better to whatever my goal is than just giving orders which often look just more work for individuals.
People are notorious liars
Mark,
While I do understand the point that you are making with the chocolate poll I'd like to make a couple of comments.
First, I'd like to point out that people are notorious liars. They lie to their doctors. They lie to their spouses. They lie to their lawyers. And they certainly lie to pollsters. They don't take polls seriously. I know that I would not take such a poll seriously and would problably just ask the pollster to qualify the question with the quality and quantity of chocolate offered before saying yes.
You made a point in both columns about people giving out their name and phone number to the researchers who could have had "endless fun with the respondent's lives" with this information. If this is so, then why is the phone book still being printed? Why are people handing out billions of business and personal cards every year with this information on it if it represents such a security risk? Even if you add in the respondents birthday, the researchers would have had limited ability to mess with the respondent's lives. My point, I guess, is that this information is easy to obtain without the participation of the victim. Most large companies actually print employees birthdays in newsletters. My representatives have started sending me birthday cards (to show how close we've become over the years, I guess). Those cards have a lot more information on them than what was obtained by the pollsters. A phone number wouldn't be hard to find.
Any serious criminal would be better served by getting in a pickup truck, driving down an affluent neighborhood the night before trash pickup, and loading up all the bags of garbage they could find. The discarded payment stubs and credit card offers would supply far more information than the victim's name and phone number. And if this information was lacking, look it up in the phone book or a cross-reference directory. Granted, a lot of people use cell phones and aren't in the phone book, but anyone who has ever worked for a collection agency or as a skip-tracer would be able to get enough personal information about you within 24 hours that it would shock the pants off you.
My point is that a poll asking silly chocolate questions and asking for easily obtainable data wouldn't be taken very seriously by anyone. I'm surprised the numbers weren't more lopsided.
Of course, I realize that once we move into pastries we hit a whole security dilemma. While a doughnut would easily get you a username and password, an eclair would allow any unsavory researcher to get not only the employee ID badge but their security scanner card. You've got to realize that everyone has their price.
One naive user can bring down the whole house of cards
You're right, there was definitely some fibbing going on but I wasn't claiming that the poll was scientific, merely indicative. So, sure that some percentage lied but by the same token I'm sure that some percentage didn't and therein lies the problem -- one naive user can bring down the whole house of cards.
A question
A question -- when those various people provided the information for a candy bar, how many of those people was actually providing accurate data?
In other words, in exchange for a candy bar, what was preventing the individual from just making up some random password? Or making up a date of birth? And so on.
In effect, those people are getting a candy bar for "providing" useless information -- something for nothing.
It only takes one user
Indeed, some or even many will lie but equally some will not and that's the point -- it only takes one naive user to bring your security house of cards tumbling down.
Not that amazing
I'm not sure why you found it astounding that people would give up a date of birth. It's not exactly secret information. Especially here in Ohio where it's printed (as the expiration date) on the registration sticker on the license plates that we're required to put on our cars! That's just *one* particular example of how easy it is to get someone's date of birth…
It was the ease with which they gave it up
Brian,
I'm more surprised that people would give up so much information in one go ...
Sure, lots of information on individuals is easily found if you are motivated to search it out but in the context we're talking about -- a survey in a public place -- you'd think people would be more circumspect. Perhaps they were and a percentage lied but then that means a percentage didn't and it only takes one naive user and your security is breached ...
Post new comment