Enough with the Hoodies: Education without the scare tactics
Growing up, I had DARE & abstinence-only education, which were comprehensive national education programs designed to educate children and keep them safe. They are an easy sell with a “wholesome” and straightforward answer to an otherwise complicated subject. “Just Say NO!” can be readily understood by young and old and easily marketed. Why not for InfoSec? Why not on a national scale?
The ubiquity of electronics has grown exponentially. According to a 2017 article by the Pew Research Center, 33% of all Americans live in a household with three or more smartphones and a whopping number of 80% of households with at least one laptop or desktop.
Breaches are growing at an astounding rate, and records are stolen at a steady clip.
“Sorry! We got breached ☹” they say shrugging their best shrug while their hands are still numb from sitting on them for so long.
“We don’t think it’s a problem, but change your password anyway.” Crossing aforementioned numb fingers “And guess what? You get credit monitoring, and you get credit monitoring, and you get credit monitoring!”
The eventual Krebs article is posted, Forbes picks it up, and your friendly skid tweets about it between rounds on PUBG. I go and show my family who replies “Oh Josh, I have nothing to hide. I don’t care about this hacker crap” Actual freaking quote by the way. The cycle then repeats.
As an ethical hacker, who lives and breathes IT Security daily, it’s hard to convince my family to follow best practices. Sometimes I can, for a while, then it gets “too annoying” or things “keep breaking”. “So,” you ask, “Is there hope for us on a grand scale? What can we, the average person do?”
I am glad that you asked kind stranger! There is hope! What, you may ask, well, it’s a free dark web scan… just kidding, sorry Rudy. Patience. The answer is patience. Security is hard, the concept is easy, but the road is hard.
The US and other governments have educational programs in place, which is a wonderful start. Often, one-off events that typically attract those who are already interested. Let’s keep those, but let’s sponsor daily one-minute segments for news corporations to distribute. Nothing scary, nothing dire, just simple and straightforward.
A segment on verifying links in emails, don’t open strange attachments and don’t reuse the same password. Quick, simple segments that allow for the average person to digest, once a day, and doesn’t overwhelm them. A security “Billy Nye,” if you will, that doesn’t solve everything, and it doesn’t have to because this leaves room for comprehensive embedded security training in schools – which we needed yesterday.
Our families don’t need to obtain certifications and maintain continuing professional education, so we should stop acting as they do. Until we embed security into our education curriculum, we need security information for the masses that is relatable, understandable, and digestible. We need a Bill Nye for InfoSec, a HAK5 Sesame street, and a news segment that doesn’t show any more hoodies.
Seriously, enough with the hoodies.