6

Often I come across people who don't understand the importance of security or privacy. They are careless and many times they will quote some nonsense, like: 'I have nothing to hide...' etc.

What is the best approach of explaining to them, why is important to protect yourself in virtual world?

I've checked one document; 'How to raise information security awareness', but it was too specific, something where I didn't found enough information for what I'm asking right here.

I think it is nice to use analogies to make concepts clearer in layman's terms.

Mirsad
  • 10,075
  • 8
  • 33
  • 54
  • difficult, because there's so much they don't know. perhaps just beginning to explain some of the technical intricacies that they wont understand, and then quickly ending with 'so there are a variety of basic things you can do to protect yourself' would work. – infinite-etcetera Jan 29 '17 at 08:20

2 Answers2

6

Information security is a technically complex topic and it is largely invisible. You can see a door lock, and see a burglar, and see and understand the loss of your TV, but one cannot see or understand what it means for a database of password hashes to be accessed by an unauthorised person.

I found my greatest successes by communicating the end risks simply ("your email account is a doorway into your bank account") and tying the risks to something the person cares about.

The key here is not just "you have to understand the importance", but understanding exactly how it is important to them. An academic approach is doomed to failure for most people.

So, the analogies you use have to be tied to your audience.

I once taught security awareness to the claims department call center of a large insurance firm. The people were not insurance professionals, but just average people taking calls all day from people who have just had an accident or some other form of major or minor personal disaster.

It was difficult to "get them to care" until I made a single simple statement: "you deal with people on what might be the worst day of their year or even their life - don't make it worse by exposing their personal details to hackers or inadvertently infecting them with a virus." THAT was something they cared about, and suddenly they were interested to know what they could do to not make someone's bad day worse.

So, you have to understand that you can comprehend this stuff at a level that others simply won't be able to. Your job is to empathise with your audience and make it "real" for them where they are.

schroeder
  • 125,553
  • 55
  • 289
  • 326
-2

Straight answer: There is none. People only truly learn when they get hacked and something terribly goes wrong, possibly involving police and/or losing financial or intellectual property.

Analogy version: Being and acting online is like walking on a mine field. Better watch out for the mines because plenty of lives were destroyed already.

EDIT to add a response to downvotes:

Ok, let's talk about audience. People who value privacy and security in their lives but are not aware of virtual world complexity will listen and the more they learn, the more they'll want to learn, to the point where they'll learn on their own. The other group, the ones being quoted in the OP, most of them won't listen until it's too late.

Now imagine a company of 50 people that sells delicate products to a large population of people worldwide, where the main feature is discretion. It only takes 1 person being in the other group that a hacker will exploit to get into the system, steal the database, and ruin the whole company, including the lives of other 49 people.

Analogy: 10 people walk through a mine field as a group. One steps on the mine and all 10 get injured despite other 9 being extra careful.

It always boils down to human aspect, no matter how secure the system is. And we all know that there are people whose minds cannot be awoken or de-egoed by any amount of effort. If you 'know' better, then my friend, you are lying to yourself.

So instead of editing out the flaws, people should look how to improve the overall system including human aspect. Which means, rather than do more explaining, re-evaluating who does what and where and has access to what and where.

On the bright side, one thing I do agree with is that communication is key but that is just not enough to make your system secure these days.

schroeder
  • 125,553
  • 55
  • 289
  • 326
user633551
  • 363
  • 1
  • 4
  • The logical errors here are staggering. You, like others, state that unless you can perfectly convince 100% of the people then it's not worth doing (your 1/50 and 1/10 analogy). But that's not the question or the point. The *question* is "how to explain". You're getting downvoted because the answer of "there's no point in explaining" is not an answer.... – schroeder Jan 29 '17 at 07:51
  • i upvoted your 'straight answer' as it is true for some people, though not for everyone. i like especially the point about simply engineering things to be more secure in the first place - i'd expect this would be the only way things would work. – infinite-etcetera Jan 29 '17 at 08:22