End User Education

I recently completed a very well designed course in web application security put on by the SANS Institute. My job at the University of Northern Iowa involves managing web servers, including online learning systems, general web servers and specialized web based application servers. As you might imagine, security is a large and growing aspect of my job. While the training focused manly on highly technical issues, one concept that came up again and again was that the most vulnerable part of the web is the end user.

In the IT industry, the end user is the consumer, the person sitting at their personal computer using the systems managed by system administrators like myself. Online criminals know that many, if not most, people using the web lack a basic understanding of the security threats present on the web. They will often use various techniques to scam people into giving up valuable personal information such as banking information, credit card numbers or other personal information. This is called phishing.

A survey paid for by Microsoft recently found that one in five online users have been tricked by these phishing scams. While there are a number of technical solutions that can help reduce the likelihood of falling prey to these online criminals, the ultimate solution is for people to change their behaviors online. Most people know about the dangers of visiting "the wrong part of town" and take reasonable precautions when they travel. However, most don't have any idea how to give themselves and their families a reasonably safe experience online.

This all ties in with another news story. A group of computer companies has joined forces with several educational organizations to propose that all school children be given training on safe behavior on the Internet. I think this is an excellent idea. As a society, we've had generally successful attempts made to reduce other dangers our children face, and if done properly, this could help to reduce the success of future phishing scams. Additionally, this may help make some progress in the fight against online predators and other crimes against children that involve computer technology.

While I strongly support any effort to educate our children in these issues, I also feel it's vital that we educate the parents as well. I'm a strong believer that education starts in the home. Parents must know the basics of safe online behavior if they have any hope of having their children understand these dangers. I am currently investigating ways to make this happen in my community. If you have any suggestions, please feel free to post them in the comments.