Thu 15 Sep 2005 07:31:26 PM PDT
Why User Education is not the Answer
(updated 15 Sep 2005: added link, example)
Jakob Nielsen has a good point that User Education Is Not the Answer to Security Problems.
And "Educating Users" made the Six Dumbest Ideas in Computer Security.
End-user instructions for legitimate web sites and IT products are more counterintuitive than the instructions for being victimized by a phishing scam or the instructions for decrypting and installing a social engineering worm.
As long as the industry is willing to make users do complicated and incomprehensible things, attacks that depend on confusing the user will succeed.