Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

VB 2006 - One Week Later

Created: 20 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:55:57 GMT
Sarah Gordon's picture
0 0 Votes
Login to vote


It's been a week since I finished my VB talk (almost on time). WhileI didn't get to the part of the talk exploring computer games and fun videosand their relevance to teaching people about security (and computerskills in general, and life skills, too!), I did get some interestingfeedback from some of the delegates. The one thing I've heard mostconsistently is that the ideas my talk put forth apply to technicalpeople, as well as not-quite-so-technical people. My first reactionwas—“wow”. I was hoping it would eventually get around to this. Onepurpose of the paper was to initiate bridge building between differentmindsets. The fact that I was able to get this across in the firstsegment of this research is just, well, unexpected.

People seemed to really be interested in the analogies drawn, whichshowed that using two products for the same general purpose, at thesame time, can be a recipe for stellar results OR total disaster.(There were more than a few comments on the pictureI used to illustrate this.) Apparently, my crazy dog does a rather goodjob impersonating a crashed computer. :) Rather than try to explainthis, or the myriad of concepts in the paper, I think its best to justdirect anyone interested in the paper to a copy or link that I’ll poston here soon.

The volunteers were great. I really appreciated their help turningthe presentation into more of the interactive workshop it wanted to be.I was afraid that Joe, the first volunteer, was going to disprove oneof the key theories used in the paper; but, at the last minute, heproved that even someone with the best memory has limits to the numberof things they can remember "in series". The gentleman from Universityof Calgary who suggested “electric shock” as a way to educate userscame up to me later and said he really was serious: it couldbe useful as a negative stimuli for those users who click "yes" withoutreading the fine print. Well, I must admit I think that's going a bittoo far. He must have been joking. The amount of time it would take tofind volunteers and get through one of the “research with humansubjects” ethical committees alone would be prohibitive; not tomention, there's probably not much useful application to be gained fromthat type of experimentation.

Anyway, several people asked if I could make an all-day thing of it,and really get into some of those ideas about cognition, learningstyles, and building effective security education programs. This tellsme that those who claim user education does not work are wrong. Or,maybe they are right, but only about the sort of user education thatdoesn’t take the differences between users into account. The fact is,user education does work. It just has to be the right kind of education for the user.

Ok, so that's complicated, considering there are so many types ofusers and so much information. Or, is it? I think it’s pretty simple,actually. I think some time spent studying how people learn can helpany department build an effective user education program. I'm thinkingof actually turning the presentation into a workshop if there is enoughinterest. I've already been invited to present it in workshop formatover in the UK, and there are also two conferences (one in Budapest and one in the UK)coming up, where I hope to get the chance to talk about some of theseideas with a wide variety of people. Maybe I'll submit the idea as aworkshop on having a workshop—all in the spirit of recursion. :)

For now, I'm just preparing for two workshops at the Santa Fe Institute.On November 1st and 2nd, I'm fortunate enough to be able to take partin the fifth annual Adaptive and Resilient Computing Security Workshop(ARCS2006). Some of the more interesting (to me) topics include thediversity & immunological approaches, topological effects incomputer networks, machine learning and defense strategies, design ofself-healing networks, and alternative models (economic, predator/prey,etc.).

I will be facilitating a discussion on the concept of "hackers," asportrayed through the media and exploring some of the more complexsocial issues related to hacking and society. Later on in the week,there are some workshops that sound really interesting in the Business Network agenda, and I’ll get the chance to meet with some authors of new and exciting research papers.