What concepts should we teach?
What topics are the most important ones for users to learn? There are so many possibilities that it is hard to narrow down to only a handful. If we only got to pick three, here are the three I would choose:
- The Internet is fun but only deal with trustworthy sources.
This is the most important piece of advice we can give users because it is an abstract concept. All other pieces of advice derive from this. You can buy antivirus software online but make sure you buy it from a website you trust. You can shop for pharmaceuticals but you must only buy them from a source you trust.
By teaching people an underlying abstract concept, other security countermeasures emerge out of this. It is abstract concepts that support transfer, not contextualized advice. Once users get the idea that they should only deal with trustworthy sources, their behavior changes. They know to login to secure sites because those ones can be trusted. They use different passwords with different websites because they don’t know if some of them can be trusted to keep their information secure, and so forth.
- Keep your software up-to-date
This is the most important piece of contextualized advice we can give users. In order to make sure that people remember it, we should build upon experiences that they already know and do every day.
One activity that everyone in the west knows about is brushing their teeth. We do it in order to prevent our teeth from decaying and falling out. Tooth pain is very painful and brushing helps prevent that.
Furthermore, brushing our teeth is something that we have to do every single day, even twice a day. It is not something that we do once and forget about, it’s daily maintenance and we have to do it every day for the rest of our lives. If we don’t, our teeth go bad.
Keeping our software up-to-date is like brushing our teeth:
- It’s good for our health.
- If we don’t do it there are bad consequences.
- We have to do it every day (or at least regularly) for the rest of our lives.
Once we have built the necessary foundational knowledge for users, and once they understand that they need to stay up-to-date, software must make it easy for users to stay up-to-date. Microsoft Windows should have automatic updates enabled by default, and so should web browsers. There must be an easy way for users to see if their software is configured to update automatically, and they need to know how to check to see what the settings are.
- Learn to recognize scams.
Next to keeping your computer up-to-date, the ability to recognize a scam is the most important thing. Criminals do not need to exploit vulnerabilities in computers to cause harm, they only need to trick the user into doing something like sending them money or handing over their username and password.
Experts are able to transfer information that they learned in one context and apply it to another. If someone is going to recognize a computer scam then it will be much easier if they borrow from pre-existing knowledge and apply it to computers. For example, many parents will know when their children are trying to manipulate them. If they have two kids and come home one day and find that the cookie jar is empty or worse yet, has been knocked over and is broken, and then both kids deny it, something is wrong. Parents often rely on cues their kids gave them in response to their answers to detect deception, such as averting their eyes, inconsistent or evasive answers or turning their bodies away from direct questioning.
When teaching people to recognize phishing, a connection should be made by linking a broken cookie jar to a bank telling someone to log in to their account and update their information. Parents already know how to tell if something is wrong in their house and if the emotional connection can be made between that and something with their email notifications, then rather than fear being invoked, suspicion is aroused. If suspicion is aroused, then fear is only a low level intensity emotion and acts in an advisory role. If people think through what they are doing and equate cyber scams with real life ones then they are less likely to fall for them.
Part 1 – Introduction
Part 2 – Expertise
Part 3 – Experience
Part 4 – Metacognition
Part 5 – What should we teach?
Part 6 – Bringing it all together