Businesses, apart from most SMEs, can usually point to an information security manager or security expert with the technical knowledge or experience to help make sound security decisions. Home computer users have to make their own decisions but have little knowledge or experience to make them wisely.
Security is everyone’s responsibility. And although we cannot blame the average home user for poor home computer security there is increasing evidence that home computers are one of the weakest links in the security of the web. But why is home computer security so difficult to achieve? It’s quite instructive to look at the main problems for home users and see how they relate to the commercial sector.
1) The degree of technical skill required – although a lot of security applications are simple in theory, in practice problems emerge which require some skill or understanding to rectify;
2) The need for ‘eternal vigilance’ – security must be continually monitored and managed. Most users would like to forget about it;
3) Breaking security rules (like opening attachments unless you know and trust the source) for convenience;
4) Difficulty of assessing risks – home users lack guidance on how to assess risks and have little ‘feel’ for the risks. Some vulnerabilities can be risks for third parties, for example if a home computer is used in a DDOS botnet, so the home user has little incentive to avoid them;
5) Expectation of new high tech products is that they work as advertised and don’t require much maintenance and support – technology is expected to be a simple ‘black box’;
6) Unwillingness to bear the costs of security – products, time, ability;
7) Nature of the social engineering threat – the human element of security is often overlooked, in the case of home users, scams that also work in the non-internet world are working on the web;
8) Vendor complacency – this is not a criticism of vendors, it is a natural consequence of the market. If buyers cannot judge the level of security in a product, they cannot make purchasing decisions which factor in security, and thus vendors have no incentive to improve security;
9) Home users may include different types of family members with a range of IT and security skills;
10) A typical customer will first enjoy the features and functionality of a new purchase and it may be some time before security issues become a concern. By then it may be too late.
Security is a process, not a product’ is a mantra often aimed at businesses. It is true of all security, but home users have no training and little awareness of the importance of process or risk assessment. It is sometimes unclear what the best processes are for achieving good home computer security. Upgrade an old operating system to a new one? Technically challenging, and the cost may not justify the benefit. Choose a complicated password? Yes. Write it down? Some say yes, some say no! Little wonder that security is often ignored by home users.
Dr Robert Rowlingson is a principal R&D consultant in cyber security in BT Research and Innovation, and the author of the BCS book The Essential Guide to Home Computer Security.
Read his blog at www.homeinfosec.blogspot.com.