I’ve been at the Virus Bulletin 2012 conference in Dallas, Texas this week and there have been a lot of good presentations. I took notes on over 20 of them and thought I’d write about some of the more memorable ones.
One of them was a presentation entitled Malware and Mrs Malaprop: what do consumers really know about AV? by Stephen Cobb of ESET. The term “Mrs. Malaprop” is a character in an 18th century play who used malapropisms – using the wrong word to describe something.
He spoke about the story of a massive fireworks failure in San Diego this past 4th of July where it badly malfunctioned. The co-owner of the fireworks company blamed it on a virus – somehow a piece of malware must have gotten into the program that controlled the lights display. The moral of the story is that if anything goes wrong in a computer program, users attribute it to a virus.
In my experience, this rings true many times. When my parents can’t get a computer program to run properly, it’s because of a virus. But in my parents’ case and in the case of this fireworks malfunction, it wasn’t malware at all. The causes of glitches are often far more complex and much less malicious.
So why don’t people know better?
The reality is that most users haven’t had any security training from their employer (68%). Of those 32% who have, only 1/10 have had it in the past 12 months. Security training must be refreshed; this means that only 3% of people have had security training from their employers in the past 12 months!
But does this really matter?
Well, even in spite of all this ignorance, the Internet has survived and hasn’t fallen apart. What we find is that 83% of people have heard of phishing, although only 58% correctly identified the definition of phishing. However, the more education people have, the better they do at identification.
How do people view the security of various platforms? Well, going from least secure to most secure, the order is the following:
- Windows PCs
- Windows tablets
- Android smartphones
- Windows smartphones
- Android tablets
- iPhones
- iPads
- Macs
This corresponds to most of the press articles we see and read about when it comes to security. Yet in spite of these perceived insecurities, the majority of people access the Internet from home using Windows PCs – which is what they believe is the most insecure. Clearly, there is a gap between what people believe and what they actually do.
Not only that, but there is another behavior/belief gap when it comes to social networks. About a quarter of people think that their private information on social networks is unsafe. However, the doubt about safety is greater among those who spend more time on social networks. So, the more you use it, the more unsafe you think it is… but you still use it.
This is reminiscent of the time Homer ate the rotten sandwich that made him sick but he kept on eating it.
What about security practices?
It turns out people are pretty good at assessing how good a password is in terms of strength, but they don’t necessarily use strong passwords themselves. I believe that the reason people do this (use weak passwords) is because it’s too difficult to remember strong passwords and therefore they use heuristic shortcuts.
Also, 91% of consumers use some sort of security software – usually they mean A/V. Of those who don’t, they either can’t afford it, can’t figure out how to install it, it slows down the computer or it conflicts with other software. Sometimes they say that because they are using a Mac, tablet or Linux, they don’t need it.
To conclude the presentation, Cobb made the following five observations:
- Even without security training, users are good at figuring things out.
- More educated users = more security-aware.
- There is an ongoing cost to consumers due to security failures.
- A/V software could be improved.
- Educating the market makes a lot of sense for security vendors (some would dispute this because it disrupts the business model).
Those were my takeaways from this presentation.