Information Security Paradox
The root cause of why users still need awareness in 2006 lies behind a legacy of behavior: incorrect security habits. In computer systems, it is common to start by implementing "wide open" systems or programs and then closing them down when functionality tests show they are working. This kind of behavior is reflected in all services that are in use today. Our email addresses allow everything. In general, default configurations allow everything to pass and deny nothing. Internet browsers are wide open as well (script languages); security features for end users take only a few pixels in the bottom-right corner of Internet Explorer (where a padlock is shown). Default protocols are very open as well (for example, http, ftp, and so on). Those who create the protocols and programs should apply the famous need-to-know basis in their work: a need-to-run basis.
Although it is understandable that the original Internet services did not carry many safety measures, it is amazing that fairly new services such as VOIP suffer from the same lack of protection. Although they are all based on the same stack of protocols, one would expect some stronger security built into these emerging tools. But on the contrary...
There is a direct relationship between the increase in Internet services for the end user and their exposure (risk of loss of confidentiality, computer compromise, and identity theft). The complexity or the multiplicity of services ensures that it takes dedication to be able to run a secure Wireless LAN at home. In other words, the potential for mistakes/deliberate malicious acts increases because the numbers of available services and dependencies increase.
Additionally, when we speak about security awareness, we ask end users to take responsibility for the emails they receive, while we have removed the responsibility of system administrators to secure their own systems by implementing vulnerability scanners, integrity tools, and so on. There is a paradox here: We do not trust a system administrator with the configuration of their systems, so we implement internal port or application scanners. Yet we ask the end user, who is not an expert in information systems, to know and apply a set of good practices.
In the future, every user will need to know much more about computers and the Internet. In the late 1980s when personal computers started to be universally used, some people were excluded because they did not make the move. We face a similar model with computer behavior. Future workers will have to have secure behavior embedded in their habits or else they will not work at all. Would you hire someone who would click on an email with Paris Hilton on it? I predict that today’s type of awareness programs will become irrelevant when people know how to deal with current problems. Not because of outstanding security awareness programs, but because of the issues each of them will have faced in their everyday experiences. The human firewall is building itself, regardless of the awareness program effort.