Like most security professionals, Michele Daryanani is vociferous when it comes to the role that user education plays in IT security. If we bombard users with security warning messages, surely that should aid in educating users - even if they only read a handful of the messages, right? Or is less really more in this case?

I was asking myself this precise question a couple of years ago - just about when Microsoft introduced elevation requests (in the form of User Account Control, which was quite widely hated).

Similarly, Apple has been using the concept of elevation since swapping to a *nix core (dare I say BSD?). The implementations aren’t identical (OSX used to request passwords for each elevation request) but they are similar enough to pose some comparison.

At the time, I was an Apple System Administrator and found that a lot of my mobile users had issues with the keychain program, which, in essence, is a password vault. Under certain circumstances, it would come un-synced and prompt the user for credentials every time it tried to use a password from the vault.

While the solution was quite simple, it appeared that most users wouldn’t think twice and would just provide their credentials each time they were requested. For some users, this would occur for every web-page that has a password field.

The issue (and opportunity) was that the credential request popup for keychain was almost indistinguishable from the elevation request popup.

As I was doing a MSc in software and systems security at the time, I suggested that there may be an opportunity for research in the area. At the simplest level, there were two pools of users - those who were used to seeing Apple’s popup, and those who were not.

In conjunction with the University of Oxford, and with the blessings of CUREC (the Research Ethics Committee), I set up a simple test. An online questionnaire was set up, and halfway through the questionnaire a phishing attack was launched on the respondent.

The phishing attack consisted of a popup window set up to look like an elevation request; but when/if the user released their credentials, instead of sending them back to the server, some client-side scripts would verify if a password was entered then wipe it (we need to remain ethical after all).

Therefore, we had three possible outcomes:

  • those users who saw more of the escalation windows would be more vigilant, and realise that the window was fake;
  • those users who saw more of the escalation windows would be desensitised to the popup and be more likely to give away their credentials;
  • having seen the escalation windows before would have had no impact whatsoever to responses.

After over 300 responses, 5.19 per cent of responses released their credentials - this was perfectly in line with research published by Sophos, who found that ‘Phishers are able to convince up to 5 per cent of recipients to respond’.

Of the 5.19 per cent who gave their password, 87.5 per cent of these had been previously exposed to the elevation popup, while only 12.5 per cent were deemed not to have been desensitised.

Looking at it against all the respondents, it equates to 1.6 per cent of non-desensitised users giving their passwords versus 20 per cent giving their password. Hence, it was quite obvious that those users who saw more of the security popup window were desensitised and thus were more likely to give away their private details.

While that may seem obvious in retrospect, it does raise a few very important points. Firstly, user education does not mean an incessant bombarding of security messages. Secondly, less really is more when it comes to security warnings.

Hence, if we bombard users with security warning messages, the user effectively switches off. At the same time, without any information, how is the user to make a decision, especially an educated decision?

The middle ground is one that needs to be found carefully - from one side the manufacturer wants the software to be seen to be doing its job (especially when it comes to anti-malware), but on the opposite most users are quite happy never seeing an anti-virus alert (or other security warning message).

At the same time does this apply to education? Is it actually possible to over-educate a user in IT security? Could too much awareness have a detrimental effect? At first, it would appear not; but I’m open to opinions.