Wednesday, February 14, 2007

User Education, Computer Safety, and Auto Safety

So, some recent discussions about user education and computer safety had me looking for analogies again.

In a response to Jeremiah I said I thought we ought to compare user education for computer security to user education to other things like driver education. My contention being that we ought to expect some minimal level of proficiency to operate a computer just like we ought to for a car.

The story of automobile safety is more complicated than this though. Cars exist in a complicated ecosystem much like computers on the internet. We have car safety systems and the overall driving environment which includes other drivers, traffic signals, etc.

Car safety systems aren't single-purpose either. Some car safety systems are directed towards the safety of the occupants only: seatbelts, airbags, crumple-zones, safety glass. Other safety systems are designed to protect both the passengers and other drivers by making accidents less likely: ABS, traction-control, AWD.

In general we also configure these safety features to default-on configurations, with the notable exception of seatbelts. We tried the mandatory seatbelts-on feature in the mid-1990's but it was generally rejected and then abandoned when airbags came out. So, we went instead to laws requiring seatbelt usage and some states/localities are even performing random seatbelt checks. The interesting point about these laws is that seatbelts don't actually reduce the dangers to others - they are a safety device that only protects the passengers.

Back to my point...

In cars we have multiple safety systems. We keep improving the safety systems and we try to configure them in a safe-by-default mode. With certain safety features that aren't on by default (seatbelts) we've passed laws to make their use mandatory. On top of that, we have mandatory testing for all drivers, and we impose different driving tests and rules for regular users and "power users", ie. those who drive more complicated or dangerous vehicles such as large trucks.

Cars are a relatively new technology. They haven't been around for more than about 100 years (give or take a little) and the landscape is continually evolving. The US Government (and other governments) realizes that car safety is multi-faceted and regulates not just to drive desired outcomes, but to specify certain mandatory safety features for cars and a mandatory testing regime to assure suitability to purpose. It took us until 1950 to have seatbelts in cars though.

Why is it that we're not willing to do the same for computers?

In the computer world we don't mandate safety features. We don't have any testing standards to ensure the safety standards are being met. We don't have mandatory user education or testing.

But computers can pose a risk to both the user and to others without "proper" use. Its not often that a car sitting in your driveway can cause an accident on the other side of the world. Not so for a computer.

When cars first came out we didn't have seatbelts, traffic lights, etc. Things like ABS and traction control were far off in the distance. What drove their adoption was liability, government regulation, general common sense, and an avoidance of the tragedy of the commons.

Perhaps someday we'll be that lucky in computing.

Of course I'd be remiss if I didn't point out that despite all of the mandatory seatbelt laws we aren't driving down accident and fatality rates that much. Drivers who are tested with and without a seatbelt behave in a more dangerous fashion when they are buckled up, so seatbelt wearing tends to help protect the driver, but maybe not others, as much as we'd have hoped.

I came across a study that I wish I could find a reference for that said that users in a corporate environment with AV software and other prevention mechanisms actually behave in a much more risky fashion than they would with their home computer. Because the business is responsible for ensuring the security of the system and business not personal data is at risk, users are less risk averse using their work computers. This doesn't mean the exploit rates are lower, simply that users aren't as careful when they think they have certain protection mechanisms in place.


No comments: