Re: The home user problem returns

[Elizabeth Zwicky <zwicky () greatcircle com>]

On Sep 13, 2005, at 12:23 PM, Tina Bird wrote:
> i disagree. i don't know *anyone* who willingly makes a fundamental,
> significant change in their behavior without pain as a motivator.

On the one hand, I agree with Tina -- people change their OWN
behavior based on their OWN pain. On the other hand, this insight
leads people to some terrible attempts at training, because people
(dogs, cats, octopus, anything with a brain of reasonable size)
do not respond effectively to imposed pain. Positive training
methods always work better on long-term measures.

Why is this relevant in security? Because the principal problem
is NOT that people don't feel pain when they screw it up -- it's
that there's absolutely no reward for doing it right (in fact,
it often causes pain itself). If more secure solutions were
faster, nicer, more fun OR cheaper in practical terms, we
wouldn't have the problems we do. Asking people to choose
long-term lack of pain over immediate reward is like asking
water to flow uphill. It can be done, but it's an awful
lot of work...

As long as you're working on increasing the pain for bad
security and making it happen faster, you're still
working on doing things the hard, ineffective way. If
you can get a reward for good security, then you're
working with the flow. If you want people to patch
their systems, show an interesting video clip only
available during patch downloads. Or whatever.

        Elizabeth Zwicky
        zwicky () otoh org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards