Greg Young

A member of the Gartner Blog Network

Greg Young
Research VP
6 years at Gartner
22 years IT security

Greg Young is a research vice president in Gartner and the lead analyst for network security. Mr. Young has experience in IT security in product companies, and in both the private and public sectors. He spent his military career in technology security… Read Full Bio

Coverage Areas:

Security Education and The Human Condition

by Greg Young  |  May 15, 2009  |  3 Comments

The CBC radio program Q hosted scholar of the con Ricky Jay (podcast here). 

Ricky told a great story about a guy who leaves his dog with a bartender for a few minutes.  Another guy comes in and raves about the dog claiming it is a rare breed and would pay $600 for it and says he will be back later.  Dog owner comes back, bartender offers $200 for dog.  Dog of course is a mutt and the two gents were in cahoots.

Ricky pointed out that cons will never go away because people will always be greedy and what they are greedy about goes in cycles.  So once a con is exposed it just goes on the shelf for a while.

A good percentage of the online scams and phishing are indeed playing on ‘too good to be true’ propositions, or what I call greed.  With vanilla phishing like what Facebook users recently experienced again, education can be somewhat useful.  But when it comes to malware that plays on any of the human conditions like greed, vanity, loneliness.. , or conning the con no amount of education works.  As you read this, someone somewhere is clicking on that ILoveYou.exe attachment.

Security education quickly reaches diminishing returns.  If you were given $1000 to buy either posters to remind people to change passwords or a thingie to make them change them – which would you buy?

3 Comments »

Category: Uncategorized     Tags:

3 responses so far ↓

  • 1 Ant   May 15, 2009 at 12:52 pm

    Neither!

    Forcing users to change passwords actually has limited value — and may encourage bad behaviour that creates other vulnerabilities. See http://my.gartner.com/portal/server.pt?gr=dd&ref=shareSummary&resId=476267.

    Better to invest in something better than passwords!

    – Ant

  • 2 Andrew   May 25, 2009 at 9:34 am

    I agree with Ant — getting users to change their passwords on a regular basis is the wrong approach. In fact, there is data that shows that people forget their passwords that most after they are changed (and also after vacations). Getting them to select good passwords and teaching them to manage them is a better approach.

    What to do about “the password problem” is an interesting question. Have a look here for a discussion:
    http://www.andrewpatrick.ca/security-and-privacy/passwords-if-were-so-smart-why-are-we-still-using-them

  • 3 Greg Young   May 25, 2009 at 9:38 am

    Password change was an example only. My point wasn’t about the sense of changing them, but what about when you have to? We can debate the merits of compliance, but when management says “change them” would you rely on user education or a technical measure to ensure it is done?