Regular readers will be aware that, unlike many people in the security industry, people in this research team tend to be enthusiastic supporters of security education for end users, both inside and outside business: not as The Answer To Everything, not in terms of turning everyone who uses the Internet into a security expert, but as an essential part of any business, social or political strategy for making cyberspace a safer experience for everyone.

In fact, Randy and I wrote a paper for last year's AVAR (Association of anti Virus Asia Researchers) conference ("People Patching: Is User Education Of Any Use At All?") that covers some of those issues in some depth, and ESET strongly supports and is very active in a number of initiatives such as Securing Our eCity, which is very much focused on "educational programs, tools and technologies", and AMTSO (Anti-Malware Testing Standards Organization), which is far more narrowly focused in its topic matter, but also regards education and the sharing of information as fundamental to its mission.

So it was very interesting to see an article on SC Magazine's UK web site based on an interview with our own Juraj Malcho, head of the Virus Lab in Bratislava, in which he presented his views on user education, highlighting a crucial issue: the fact that user education is an ongoing process, not a one-off.

The sad fact is that education is conceptually simple but in practice quite difficult, at least in the long term. Many educational mechanisms are based on alerts and warnings about specific threats, and we've seen many times that such alerts can seriously mitigate the impact of a threat in the short term: for example, when we were able to provide some early warning about the Waledac July 4th spam run. And as long as the bad guys are lazy about using infection mechanisms delivered with stereotypical messages, some people will remember the last time and be more cautious the next time a similar social engineering hook is used. (Sadly, some people will fall time and time again for the same con, and they represent a particular educational challenge...)

However, not all Black Hats are so obligingly lazy: some show startling creativity, not only in technical terms, but in generating new social engineering traps for the unwary. (My colleague Cristian Borghello, at ESET Latin America, has an interesting paper that addresses some aspects of the social engineering problem here.) Unfortunately, many potential victims are less adaptable, and find it difficult to extrapolate fromone threat to another.

So while education remains an important, even essential supplement to other, more technical solutions, it can't usually replace them. It's just part of a wider defensive strategy. Though if we could find an effective way of teaching scepticism, that would make the bad guys' job a lot harder. E.M. Forster said something like "the confidence trick is the work of man, but the want-of-confidence trick is the work of the devil." The fact is, though, that a little paranoia can save a lot of heartache, and some very bad men rely on the gullibility of others.

David Harley
Director of Malware Intelligence