There is No Incentive to End Security Apathy

Monday, October 11, 2010

Andy Willingham


I ran across a couple of articles tonight that are on different topics but both of them made me think the same thing. 

The first one is by Brian Krebs and it’s about a new bill that has been introduced to help protect the banking accounts of cities, towns and schools. The other one is about a new checklist that Google has put out to help users secure their Gmail accounts.

Now don’t get me wrong I’m all for protecting peoples accounts no matter what type they are. After all I am in Information Security for a reason. The problem that I have is that protecting accounts requires the user to want to protect it.

Gmail users have to want to take the initiative to download the checklist and do what it says. People on Facebook have to want to ensure that their security and privacy settings are up to date and set to something reasonable.

Those who do online banking have to want to protect their accounts and their money. You would think that this one would be a no-brainer. After all money is pretty important to day to day life for most people.

What I have seen is that the users (at least a large number of them) don’t want to be bothered with these things. They have developed a entitlement mentality or a apathetic mentality.

After all for much of this there is no real incentive for the user to care in many of these cases. The banks will cover your losses so why worry about having money taken from your account.

Unless you use your Gmail for business what do you care if someone sends spam or malicious links from your account. All you have to do is say it wasn’t really me and everything is OK.

I’ve worked in the financial services for many years and have worked for lots of different types of companies in the industry. Banks, Payroll Processors, Check Cashers, Vendors and I’ve consulted for many others.

One common theme that I’ve heard is keep the user impact to a minimum.

Now I understand that we don’t want to make it such a pain to do business that they go elsewhere but there has to come a point where the users start taking responsibility. We can’t continue to hold their hands and fix all of their problems for them.

After all why is it wrong to ask a user to take a couple of extra steps to protect their identity, reputation, finances, or privacy?

In many other parts of our life we are expected to know and do the right thing and if we mess up we pay. Yet we’re given a free pass online. It doesn’t make good sense to me.

Many people who get pwned on the internet do so out of ignorance, stupidity, or apathy. Some get pwned completely innocently and due to sheer bad luck.

Yet when bad things happen as a result of being pwned rarely does the reason for pwnage get taken into account.

The bank doesn’t care if you have a system infected with ZueS because you happened to go to on the day that they happened to host a malicious ad for something that you needed or if you picked it up at

The banks take it on the chin because they want to retain you as a customer and because the government says that they have to. So why should you care?

I’m big on personal responsibility and I happen to think that the internet is a place where people need to take more personal responsibility.

They need to take it upon themselves to understand the threats of going to and of clicking on every cute, free, stupid thing that comes their way.

I think that the possible consequences of not knowing are too great to others to continue to let it go as it is. After all we are expected to know and obey the laws of various towns and states that we travel to.

If we break a law out of ignorance the police don’t say “It’s OK just be more careful”. At least not very often. So if that is expected of us why isn’t it expected of us online? 

Cross-posted from 

Possibly Related Articles:
Facebook Gmail Security Awareness
Post Rating I Like this!
Ray Tan What should I say?
As you have mentioned, a large number of the internet user are not willing to take extra steps to protect themselves, they even have no idea of the risks.
In China, the bank would not pay for the losses you suffered if it was convinced that the transaction was processed with the correct PIN.
However, this does not stop the fraud or make the user cleverer.
They need to pay for it and be painful before the learn about the risk and losses, sometimes.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.