A new study finds that only 1 in 10 consumers have had any classes or training about protecting their computer and/or their personal information during the last 12 months. Indeed, a shocking 68 percent say they have never had any such training, ever. These and other findings, first revealed by ESET at the Virus Bulletin conference in Dallas, come just in time for National Cyber Security Awareness Month.

Security awareness due to lack of trainingIn our ongoing efforts to better understand the information security challenges that we, as a society, now face, ESET asked a cross-section of computer users several security-related questions.

The most worrying findings? Only 1 in 10 people who regularly use a computer or other digital device to connect to the Internet have received any kind of cyber security training in the last 12 months, and more than two thirds have never had any such training. That 68/32 split you see in the pie chart rang a bell with us because it mirrored a different ESET poll, conducted by Harris earlier this year. The purpose of that poll was to study implications of the bring-your-own-device or BYOD trend. We asked employed U.S. adults if they had received any kind of computer security training from their employer and only 32 percent said they had. Another 64 percent said they had not and 4 percent said they couldn't recall having such training, which probably means it was not worth remembering. Clearly, with two separate surveys indicating that under a third of Internet users have had security training, we could be doing a much better job of educating employees and consumers about cybersecurity.

More cyber-security training needed, and needed now

While the total number of people in our latest survey who received no training was disappointing, things appear even worse when you take a closer look. Most of those who got training received it more than 12 months ago. Given the rate at which new threats emerge, and new defensive behaviors are needed, finding that only 10% had received any security training in the last 12 months was very disappointing. Here is the full breakdown of responses to the question: "Have you ever had any classes or training about protecting your computer and/or your personal information?"

  • No training ever: 68%
  • Yes, in last 12 months: 10%
  • Yes 1-2 years ago: 5%
  • Yes, 3-5 years ago: 5.5%
  • More than 5 years ago: 11.5%

Frankly, I find these numbers alarming in their implications for cybersecurity, the protection of the data streams that have become the lifeblood of our digital economy and our nation's critical infrastructure. These findings also cast doubt on the perennial assertion by some experts that security problems mainly arise from the stupidity of users. In light of these survey results it is worth asking whether the stupidity lies more with those who expect to achieve system security without providing any education on the subject to the people who use the systems.

During the evolution of computer security over the last 20 years there has been a persistent hope that security was a problem that could be solved technologically, therefore saving us the trouble of educating computer users about security. Clearly, that has not happened and, ironically, the improvements made in security technology have actually shifted the point of attack to users. Consider two current trends:

1. 64-bit malware: As my colleague  Aleksandr Matrosov pointed out his  analysis of the Rovnix bootkit framework, the task of writing malicious code that can successfully exploit 64-bit systems is getting harder. At the same time, marketing projections tell us that more and more systems will be 64-bit, a growing obstacle for cyber-criminals.

2. Gateways to control applications: Both Apple and Microsoft are looking to restrict the installation of applications by end users in order to control the quality, and legitimacy, of application code. Users will need additional persuading (or social engineering) in order for malware to circumvent these controls.

The implications of these two trends? People who seek to profit from unauthorized access to our data and systems will be forced, increasingly, to try to exploit human vulnerability. Tricking users into compromising their systems (and other systems to which they then connect) will be increasingly important as an attack vector. And that means the case for arming all computer using humans with security training is stronger than ever. Sadly, these survey results suggest there is a ton of work to do before we can hope to achieve that goal.

In the next installment of statistics from our recent survey we will explore consumer knowledge of cybersecurity in the absence of widespread training and look at some of the educational initiatives ESET is working on. In the meantime, please explore all that is going on in October for National Cyber Security Awareness Month. For example, you might want to point friends and family to the cybersecurity training modules that ESET has made available free of charge to Internet users in North America for the month of October.