Got a certificate:-)
The course had a small writing assignment to show that teachings were internalized. I, of course, decided to write something security related keeping in mind that the readers are not security experts. I chose my topic to be
Why people open dangerous email attachments despite all awareness campaigns – are their stupid or what?
Common way to spread computer viruses is via email attachments designed to infect user’s computer. Without clicking the attachment the computer doesn't get infected, so the user must be lured to open the file. Although organizations put lots of effort in order to educate users not to open suspicious attachments, someone will always do. Lots of money is spent in order to automatically recognize and delete these malicious files, but there are always new tricks to circumvent the countermeasures. Not to mention that number of viruses has sky-rocketed in last years.
Here’s a typical example of email including an infected attachment I got recently, apparently coming from Bank of America:
Transaction is completed. $39976449 has been successfully transferred. If the transaction was made by mistake please contact our customer service. Receipt of payment is attached.
Problem from organizations point of view is that these malicious files are emailed in masses and it may take only one user to click the attachment to open it and the whole network will be infected.
Common saying is that user is the weakest link of security meaning actually that users are stupid and lazy. I would say that computer programs are not designed correctly taking human intuition and behavior into account.
Why people tend to open malicious attachments? I can think of several reasons. First, we get legitimate attachments all the time which we need to open, so it’s common practice for us and anchoring bias makes opening attachment a default behavior. Second, these scams usually offer us richness, love, health or something everybody usually wants and it’s FREE. Third, email spreading virus usually have falsified sender name which seems legitimate. Fourth, understanding computers, software and viruses is complicated. Hence we take the path of least resistance and just click the attachment. Fifth, although we've been informed about dangers of viruses and how to behave in a secure manner, it has probably been a while ago and these awareness trainings don’t have long-term effect. In my mind security awareness trainings are comparable to reminding about morality. I could think even more reasons, but this will do for now.
What to do, then? Obviously we have to enhance automated security measures to make sure that more viruses get caught before users even see them. However, it’s impossible to catch them all. I think that first we need better computer operating systems to prevent infections or at least make it much more difficult. Then we need intelligent email clients which can learn from user’s email communication how typical email from that users point of view looks like. Finally we need to remind the user about virus possibility just before she opens the file. Clicking the attachment could give a reminder explaining why the email software has categorized the attachment as dangerous and what could be the unwanted consequences of opening the file. User gets the warning just in time and need to verify, if she really wants to open the file. Naturally the default must be not opening the file. The trick here is to make email software intelligent enough, so that user doesn't get false alarms and that the user doesn't need to make these decisions too often.
In general software companies need to understand human behavior and especially irrational behavior much better and make use of that knowledge when designing software. It’s not the users of software that are the weakest link – it’s the programmers who don’t make software suitable for users, but instead force them to make tough decisions in complicated environment.
