-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2013.03.28 00.45, Carol Waters wrote: > At the risk of igniting an inbox-exploding smackdown thread, I > think the following piece by Schneier > <http://www.darkreading.com/blog/240151108/on-security-awareness-training.html> > > is definitely worth a read and thoughtful discussion; particularly from > the POV of both trainers and developers.
While I understand where he's coming from, and while he may even be correct when it comes to the strict integrity of the host system with which the user is interacting, he's significantly wrong if we take even a slight expanded view of what security is. Security is the ability to maintain agency in the performance of some set of real human actions in the world, in the face of hostile acts, and, moreover, to have some degree of assurance of one's continued agency. Much of security is and will always be about user behaviour. We cannot separate physical security from digital security, nor can, in our modern heavily surveilled world, we separate awareness of one's behavioural threat model and the interactions between things like the linkability and confidentiality properties of a channel, the data one is sending over that channel, and what one's adversaries capabilities and intents are. Real security "awareness" training (and I don't think for a second that what most people are given as this is sufficient, except in the literal sense of making them aware the problem exists) must give people the tools to understand these kinds of calculations and tradeoffs on their own. Yes, we must do far, far better than we are right now with our tools -- we need our tools to do everything that a computer can do to keep its humans safe, but even that isn't enough. It's great to have a self-driving car that will ensure you never get into a car accident, but when your actual adversary is an MQ-9 doing signature strikes, it's not going to help at all. E. - -- Ideas are my favorite toys. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iF4EAREIAAYFAlFUUVUACgkQQwkE2RkM0wpI5gD/bhcx3PdCr3e960ZXBvyChigU TkaC/jVeqsRtiJgZoXcBAImvJkEHwNHtqdTSaff4jTMRY7TqZL48lcZxX9bREZWD =Y0kj -----END PGP SIGNATURE----- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
