Are we doing it right?

Hey, everybody!  Long time no blog, I know.  Things have been busy.  I wish I had some story involving me being chased by a bear and living to tell the tale, but it's just been run of the mill responsible adult blah, blah, blah.  Sorry, but that's all I got. Still, apologies are not the reason for my triumphant return to blogging.  This article is the driver: End Users Still Don't Know How To Handle Personal Data, Study Finds [1]

I don't know much about iYogi Insights, but the research they share is enough to raise an eyebrow.  Here are some factoids:

  • 80% of their survey respondents shop online
  • 30% of Americans have been victims of cybercrime
  • 20% do not use protection while surfing the web
  • About 17% use no AV

So there is the activity observed.  Here are some of the sample population's perceptions:

  • 10% think it is OK to share credit card numbers
  • 30% don't think birth date is sensitive information
  • 40% think it is safe to share full name address, and email ID
  • 66% think they are protected from attack by sticking to known reputable sites
  • 66% thing they are protected if they avoid using public terminals

The context for the survey is the consumer population. This is interesting data but it is not where I live.  My role is helping to secure the enterprise population and protect my company's data.  This is not applicable to me.  Or is it?

At first glance consumer users and enterprise users are two different populations.  However, after a little reflection I have concluded they are not different.  They are the same population of people but the context is different.  In one context the population is surfing in their underwear.  In the other context they are in a polo and khakis crunching numbers for quarter end.  Other than that, they are the same people.

Will the change in context really alter their fundamental interpretation what is safe and dangerous from a data protection perspective? My hypothesis is this: Probably not.

Let's take a look at the risk this situation presents.  The threat actor here is a person ignorant of the value of their data.  The Contact Frequency (CF) equals the number of times per year the enterprise population interacts with sensitive enterprise data.  The Threat Event Frequency (TEF) is the number of times per year the enterprise population does not handle sensitive data properly.  The Loss Event Frequency (LEF) is the number of times per year you get a call because Bubba in Accounting sent an unencrypted spreadsheet with cardholder data to someone outside the company.

What do those numbers look like for your company?  What is your general sense of that risk based on rough estimation using the factors above?

I just want you to think about this risk for a second.  There are technical controls available to mitigate this kind of risk.  From what I understand, these solutions work reasonably well.  Still, those controls address the symptom but not the root cause, which is user ignorance of the value of data.  How do we address the root cause?

Perhaps if we better educated our enterprise personnel, we could reduce the risk of ignorant users.  This raises the question of whether we prioritize user education properly.  To answer this question, we must first answer some other questions:

  1. How much risk do enterprise users ignorant of the value of data present our organization annually?
  2. Would we reduce our risk significantly if we invested more in our education?
  3. How does that reduction compare to the technical controls available?
  4. Which is the more effective control against the ignorant user: Technology or Education

I've taken an informal and unscientific poll of my peers and it seems that education is almost always that item on the task list that rarely finds priority.   Yes, we know we should do it, but the technology solutions generally seem more pressing.  Is this because technology is more effective or that security professionals put more faith in technology than education?  I don't know.

What I do know is that this article made me question our approach to user education as a profession.  Are we doing it right?  Leave your thoughts in the Comments.


T. Wilson, “End Users Still Don’t Know How To Handle Personal Data, Study Finds,” Dark Reading, 19-Jul-2012. [Online]. Available: [Accessed: 19-Jul-2012].